Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
faktura proforma pdf.exe

Overview

General Information

Sample name:faktura proforma pdf.exe
Analysis ID:1540850
MD5:a2769ba56f8b84de34deee154f4bfba2
SHA1:01771e5df223fac2315e8ab9ba72234a1a41f0ba
SHA256:9f7da651412232824c868086dd48a7d63af0dbb007cef4db8c24edda9b2fcdbb
Tags:exeuser-Adamek
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • faktura proforma pdf.exe (PID: 2692 cmdline: "C:\Users\user\Desktop\faktura proforma pdf.exe" MD5: A2769BA56F8B84DE34DEEE154F4BFBA2)
    • powershell.exe (PID: 1696 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7268 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 6548 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp69A7.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7188 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • mstsc.exe (PID: 7524 cmdline: "C:\Windows\SysWOW64\mstsc.exe" MD5: EA4A02BE14C405327EEBA8D9AD2BD42C)
          • cmd.exe (PID: 7600 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • raserver.exe (PID: 7540 cmdline: "C:\Windows\SysWOW64\raserver.exe" MD5: D1053D114847677185F248FF98C3F255)
  • xmAdkuQjxrS.exe (PID: 7332 cmdline: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe MD5: A2769BA56F8B84DE34DEEE154F4BFBA2)
    • schtasks.exe (PID: 7456 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp77D0.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7508 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.asposted.online/gy15/"], "decoy": ["hairsdeals.today", "acob-saaad.buzz", "9955.club", "gild6222.vip", "nline-shopping-56055.bond", "lmadulles.top", "utemodels.info", "ighdd4675.online", "nqqkk146.xyz", "avasales.online", "ortas-de-madeira.today", "haad.xyz", "races-dental-splints-15439.bond", "hilohcreekpemf.online", "rrivalgetaways.info", "orktoday-2507-02-sap.click", "eceriyayinlari.xyz", "lsurfer.click", "aston-saaae.buzz", "etrot.pro", "68mp269rf.autos", "ndia567.vip", "jinni.buzz", "rey.app", "enior-living-72184.bond", "rogramdokpirdarmowy.today", "ejcloud.info", "ools-59989.bond", "astbiz.net", "ixaahx.shop", "hqaiop.xyz", "indow-replacement-46487.bond", "rogramdokpirdarmowy.today", "remoter.net", "ecorationworld.net", "ilkool.info", "bandoned-houses-50880.bond", "andscaping-services-2507.today", "42ve.shop", "orthfitness.net", "ink-gluwty.online", "18721.club", "ahrump.homes", "uuxe6hi1l.lol", "hopbestdeals.online", "rocbotserver2.online", "8210.app", "oftware-download-44761.bond", "78ex.net", "lake-paaab.buzz", "olocal.app", "oxpal.best", "hetinkerfoundation.net", "eleerm-czjp.top", "omaininformaniacion.fun", "ahadevindia.info", "j11.online", "isax.xyz", "lennuser.shop", "48691640.top", "6747.asia", "stralvoyage.website", "aihora.info", "0372.photo"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18819:$sqlite3step: 68 34 1C 7B E1
      • 0x1892c:$sqlite3step: 68 34 1C 7B E1
      • 0x18848:$sqlite3text: 68 38 2A 90 C5
      • 0x1896d:$sqlite3text: 68 38 2A 90 C5
      • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 38 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          6.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          6.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          6.2.RegSvcs.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a19:$sqlite3step: 68 34 1C 7B E1
          • 0x17b2c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a48:$sqlite3text: 68 38 2A 90 C5
          • 0x17b6d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 25 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\faktura proforma pdf.exe", ParentImage: C:\Users\user\Desktop\faktura proforma pdf.exe, ParentProcessId: 2692, ParentProcessName: faktura proforma pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe", ProcessId: 1696, ProcessName: powershell.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\faktura proforma pdf.exe", ParentImage: C:\Users\user\Desktop\faktura proforma pdf.exe, ParentProcessId: 2692, ParentProcessName: faktura proforma pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe", ProcessId: 1696, ProcessName: powershell.exe
          Sigma detected: Suspicious Add Scheduled Task Parent
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp77D0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp77D0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe, ParentImage: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe, ParentProcessId: 7332, ParentProcessName: xmAdkuQjxrS.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp77D0.tmp", ProcessId: 7456, ProcessName: schtasks.exe
          Sigma detected: Suspicious Schtasks From Env Var Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp69A7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp69A7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\faktura proforma pdf.exe", ParentImage: C:\Users\user\Desktop\faktura proforma pdf.exe, ParentProcessId: 2692, ParentProcessName: faktura proforma pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp69A7.tmp", ProcessId: 6548, ProcessName: schtasks.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\faktura proforma pdf.exe", ParentImage: C:\Users\user\Desktop\faktura proforma pdf.exe, ParentProcessId: 2692, ParentProcessName: faktura proforma pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe", ProcessId: 1696, ProcessName: powershell.exe

          Persistence and Installation Behavior

          barindex
          Sigma detected: Scheduled temp file as task from temp location
          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp69A7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp69A7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\faktura proforma pdf.exe", ParentImage: C:\Users\user\Desktop\faktura proforma pdf.exe, ParentProcessId: 2692, ParentProcessName: faktura proforma pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp69A7.tmp", ProcessId: 6548, ProcessName: schtasks.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-24T09:06:01.145442+020020314531Malware Command and Control Activity Detected192.168.2.45000713.248.252.11480TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.asposted.online/gy15/"], "decoy": ["hairsdeals.today", "acob-saaad.buzz", "9955.club", "gild6222.vip", "nline-shopping-56055.bond", "lmadulles.top", "utemodels.info", "ighdd4675.online", "nqqkk146.xyz", "avasales.online", "ortas-de-madeira.today", "haad.xyz", "races-dental-splints-15439.bond", "hilohcreekpemf.online", "rrivalgetaways.info", "orktoday-2507-02-sap.click", "eceriyayinlari.xyz", "lsurfer.click", "aston-saaae.buzz", "etrot.pro", "68mp269rf.autos", "ndia567.vip", "jinni.buzz", "rey.app", "enior-living-72184.bond", "rogramdokpirdarmowy.today", "ejcloud.info", "ools-59989.bond", "astbiz.net", "ixaahx.shop", "hqaiop.xyz", "indow-replacement-46487.bond", "rogramdokpirdarmowy.today", "remoter.net", "ecorationworld.net", "ilkool.info", "bandoned-houses-50880.bond", "andscaping-services-2507.today", "42ve.shop", "orthfitness.net", "ink-gluwty.online", "18721.club", "ahrump.homes", "uuxe6hi1l.lol", "hopbestdeals.online", "rocbotserver2.online", "8210.app", "oftware-download-44761.bond", "78ex.net", "lake-paaab.buzz", "olocal.app", "oxpal.best", "hetinkerfoundation.net", "eleerm-czjp.top", "omaininformaniacion.fun", "ahadevindia.info", "j11.online", "isax.xyz", "lennuser.shop", "48691640.top", "6747.asia", "stralvoyage.website", "aihora.info", "0372.photo"]}
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeReversingLabs: Detection: 34%
          Multi AV Scanner detection for submitted file
          Source: faktura proforma pdf.exeReversingLabs: Detection: 34%
          Yara detected FormBook
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.xmAdkuQjxrS.exe.41fb088.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: faktura proforma pdf.exeJoe Sandbox ML: detected
          Source: faktura proforma pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: faktura proforma pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: RegSvcs.pdb, source: explorer.exe, 00000007.00000002.4158146718.00000000110CF000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4143827334.000000000579F000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4142597154.00000000033E4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000003.1788289388.00000000050A3000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4143220844.0000000005250000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000003.1781032119.0000000004EF8000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4143220844.00000000053EE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000E.00000002.1791709211.00000000050CE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000E.00000003.1785605859.0000000004BCB000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000E.00000002.1791709211.0000000004F30000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000E.00000003.1789576741.0000000004D7C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000003.1788289388.00000000050A3000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4143220844.0000000005250000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000003.1781032119.0000000004EF8000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4143220844.00000000053EE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000E.00000002.1791709211.00000000050CE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000E.00000003.1785605859.0000000004BCB000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000E.00000002.1791709211.0000000004F30000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000E.00000003.1789576741.0000000004D7C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: RAServer.pdb source: RegSvcs.exe, 0000000C.00000002.1792619106.00000000017E0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.1788861011.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000E.00000002.1791022734.0000000000270000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: mstsc.pdbGCTL source: RegSvcs.exe, 00000006.00000002.1787815352.0000000003130000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4142141459.00000000008F0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: RegSvcs.pdb source: explorer.exe, 00000007.00000002.4158146718.00000000110CF000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4143827334.000000000579F000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4142597154.00000000033E4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mstsc.pdb source: RegSvcs.exe, 00000006.00000002.1787815352.0000000003130000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4142141459.00000000008F0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: RAServer.pdbGCTL source: RegSvcs.exe, 0000000C.00000002.1792619106.00000000017E0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.1788861011.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000E.00000002.1791022734.0000000000270000.00000040.80000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 4x nop then jmp 0EAF0FC5h0_2_0EAF10C4
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 4x nop then jmp 0EAF0FC5h0_2_0EAF1860
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop ebx6_2_00407B1C
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 4x nop then jmp 0E620225h9_2_0E620324
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 4x nop then jmp 0E620225h9_2_0E620AC0

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50007 -> 13.248.252.114:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50007 -> 13.248.252.114:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50007 -> 13.248.252.114:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.asposted.online/gy15/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.isax.xyz
          Source: DNS query: www.haad.xyz
          Tries to resolve many domain names, but no domain seems valid
          Source: unknownDNS traffic detected: query: www.asposted.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.hetinkerfoundation.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.hopbestdeals.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.isax.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.nline-shopping-56055.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ixaahx.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.omaininformaniacion.fun replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.rrivalgetaways.info replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.hilohcreekpemf.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.indow-replacement-46487.bond replaycode: Name error (3)
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Windows\explorer.exeCode function: 7_2_0FCACF82 getaddrinfo,setsockopt,recv,7_2_0FCACF82
          Source: global trafficDNS traffic detected: DNS query: www.hilohcreekpemf.online
          Source: global trafficDNS traffic detected: DNS query: www.indow-replacement-46487.bond
          Source: global trafficDNS traffic detected: DNS query: www.isax.xyz
          Source: global trafficDNS traffic detected: DNS query: www.hopbestdeals.online
          Source: global trafficDNS traffic detected: DNS query: www.asposted.online
          Source: global trafficDNS traffic detected: DNS query: www.ixaahx.shop
          Source: global trafficDNS traffic detected: DNS query: www.haad.xyz
          Source: global trafficDNS traffic detected: DNS query: www.omaininformaniacion.fun
          Source: global trafficDNS traffic detected: DNS query: www.hetinkerfoundation.net
          Source: global trafficDNS traffic detected: DNS query: www.nline-shopping-56055.bond
          Source: global trafficDNS traffic detected: DNS query: www.rrivalgetaways.info
          Source: explorer.exe, 00000007.00000002.4149087756.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111719104.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000007.00000002.4149087756.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111719104.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000007.00000002.4149087756.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111719104.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000007.00000002.4149087756.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111719104.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000007.00000002.4145487064.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000007.00000002.4147185768.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4147904937.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1727350481.0000000009B60000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: faktura proforma pdf.exe, 00000000.00000002.1736105667.0000000002F5A000.00000004.00000800.00020000.00000000.sdmp, xmAdkuQjxrS.exe, 00000009.00000002.1772272518.00000000029C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.0372.photo
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.0372.photo/gy15/
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.0372.photo/gy15/www.rogramdokpirdarmowy.today
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.0372.photoReferer:
          Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.asposted.online
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.asposted.online/gy15/
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.asposted.online/gy15/www.ixaahx.shop
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.asposted.onlineReferer:
          Source: explorer.exe, 00000007.00000003.3108552283.000000000C9AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1733763393.000000000C964000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.haad.xyz
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.haad.xyz/gy15/
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.haad.xyz/gy15/www.omaininformaniacion.fun
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.haad.xyzReferer:
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hetinkerfoundation.net
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hetinkerfoundation.net/gy15/
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hetinkerfoundation.net/gy15/www.nline-shopping-56055.bond
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hetinkerfoundation.netReferer:
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hilohcreekpemf.online
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hilohcreekpemf.online/gy15/
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hilohcreekpemf.online/gy15/www.indow-replacement-46487.bond
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hilohcreekpemf.onlineReferer:
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hopbestdeals.online
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hopbestdeals.online/gy15/
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hopbestdeals.online/gy15/www.hqaiop.xyz
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hopbestdeals.onlineReferer:
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hqaiop.xyz
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hqaiop.xyz/gy15/
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hqaiop.xyz/gy15/www.asposted.online
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hqaiop.xyzReferer:
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.indow-replacement-46487.bond
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.indow-replacement-46487.bond/gy15/
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.indow-replacement-46487.bond/gy15/www.isax.xyz
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.indow-replacement-46487.bondReferer:
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.isax.xyz
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.isax.xyz/gy15/
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.isax.xyz/gy15/www.hopbestdeals.online
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.isax.xyzReferer:
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ixaahx.shop
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ixaahx.shop/gy15/
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ixaahx.shop/gy15/www.haad.xyz
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ixaahx.shopReferer:
          Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nline-shopping-56055.bond
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nline-shopping-56055.bond/gy15/
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nline-shopping-56055.bond/gy15/www.rrivalgetaways.info
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nline-shopping-56055.bondReferer:
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oftware-download-44761.bond
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oftware-download-44761.bond/gy15/
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oftware-download-44761.bond/gy15/www.0372.photo
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oftware-download-44761.bondReferer:
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.omaininformaniacion.fun
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.omaininformaniacion.fun/gy15/
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.omaininformaniacion.fun/gy15/www.hetinkerfoundation.net
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.omaininformaniacion.funReferer:
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.orthfitness.net
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.orthfitness.net/gy15/
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.orthfitness.net/gy15/www.oftware-download-44761.bond
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.orthfitness.netReferer:
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rogramdokpirdarmowy.today
          Source: explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rogramdokpirdarmowy.today/gy15/
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rogramdokpirdarmowy.todayReferer:
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rrivalgetaways.info
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rrivalgetaways.info/gy15/
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rrivalgetaways.info/gy15/www.orthfitness.net
          Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rrivalgetaways.infoReferer:
          Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: faktura proforma pdf.exe, 00000000.00000002.1739742053.0000000005C24000.00000004.00000020.00020000.00000000.sdmp, faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 00000007.00000002.4154353746.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1733763393.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
          Source: explorer.exe, 00000007.00000002.4145487064.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
          Source: explorer.exe, 00000007.00000002.4145487064.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
          Source: explorer.exe, 00000007.00000000.1733763393.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154353746.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000007.00000002.4149087756.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111719104.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000007.00000002.4149087756.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111719104.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
          Source: explorer.exe, 00000007.00000000.1718182616.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3109263077.000000000370C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4143785522.000000000371D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3114567156.000000000371C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4142527749.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1716988722.0000000001240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000007.00000002.4149087756.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111719104.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4149087756.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111719104.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000007.00000002.4149087756.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111719104.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
          Source: explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
          Source: explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000007.00000002.4145487064.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
          Source: explorer.exe, 00000007.00000002.4145487064.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
          Source: explorer.exe, 00000007.00000000.1733763393.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154353746.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
          Source: explorer.exe, 00000007.00000002.4145487064.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
          Source: explorer.exe, 00000007.00000000.1733763393.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154353746.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
          Source: explorer.exe, 00000007.00000000.1733763393.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154353746.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000007.00000000.1733763393.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
          Source: explorer.exe, 00000007.00000000.1733763393.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154353746.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
          Source: explorer.exe, 00000007.00000000.1720478261.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
          Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.xmAdkuQjxrS.exe.41fb088.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.xmAdkuQjxrS.exe.41fb088.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.2.xmAdkuQjxrS.exe.41fb088.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.xmAdkuQjxrS.exe.41fb088.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.4157647117.000000000FCC4000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: Process Memory Space: faktura proforma pdf.exe PID: 2692, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: RegSvcs.exe PID: 7188, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: xmAdkuQjxrS.exe PID: 7332, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: mstsc.exe PID: 7524, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: raserver.exe PID: 7540, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_07691E70 NtQueryInformationProcess,0_2_07691E70
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_07691E68 NtQueryInformationProcess,0_2_07691E68
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A330 NtCreateFile,6_2_0041A330
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A3E0 NtReadFile,6_2_0041A3E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A460 NtClose,6_2_0041A460
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A510 NtAllocateVirtualMemory,6_2_0041A510
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A2EB NtCreateFile,6_2_0041A2EB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A3DA NtReadFile,6_2_0041A3DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A45A NtClose,6_2_0041A45A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A50C NtAllocateVirtualMemory,6_2_0041A50C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502B60 NtClose,LdrInitializeThunk,6_2_01502B60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_01502BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502AD0 NtReadFile,LdrInitializeThunk,6_2_01502AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502D10 NtMapViewOfSection,LdrInitializeThunk,6_2_01502D10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_01502D30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502DD0 NtDelayExecution,LdrInitializeThunk,6_2_01502DD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_01502DF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_01502C70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_01502CA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502F30 NtCreateSection,LdrInitializeThunk,6_2_01502F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502FE0 NtCreateFile,LdrInitializeThunk,6_2_01502FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502F90 NtProtectVirtualMemory,LdrInitializeThunk,6_2_01502F90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502FB0 NtResumeThread,LdrInitializeThunk,6_2_01502FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_01502E80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_01502EA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01504340 NtSetContextThread,6_2_01504340
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01504650 NtSuspendThread,6_2_01504650
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502BE0 NtQueryValueKey,6_2_01502BE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502B80 NtQueryInformationFile,6_2_01502B80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502BA0 NtEnumerateValueKey,6_2_01502BA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502AF0 NtWriteFile,6_2_01502AF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502AB0 NtWaitForSingleObject,6_2_01502AB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502D00 NtSetInformationFile,6_2_01502D00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502DB0 NtEnumerateKey,6_2_01502DB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502C60 NtCreateKey,6_2_01502C60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502C00 NtQueryInformationProcess,6_2_01502C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502CC0 NtQueryVirtualMemory,6_2_01502CC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502CF0 NtOpenProcess,6_2_01502CF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502F60 NtCreateProcessEx,6_2_01502F60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502FA0 NtQuerySection,6_2_01502FA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502E30 NtWriteVirtualMemory,6_2_01502E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502EE0 NtQueueApcThread,6_2_01502EE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01503010 NtOpenDirectoryObject,6_2_01503010
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01503090 NtSetValueKey,6_2_01503090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015035C0 NtCreateMutant,6_2_015035C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015039B0 NtGetContextThread,6_2_015039B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01503D70 NtOpenThread,6_2_01503D70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01503D10 NtOpenProcessToken,6_2_01503D10
          Source: C:\Windows\explorer.exeCode function: 7_2_0FCADE12 NtProtectVirtualMemory,7_2_0FCADE12
          Source: C:\Windows\explorer.exeCode function: 7_2_0FCAC232 NtCreateFile,7_2_0FCAC232
          Source: C:\Windows\explorer.exeCode function: 7_2_0FCADE0A NtProtectVirtualMemory,7_2_0FCADE0A
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_06D61F48 NtQueryInformationProcess,9_2_06D61F48
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_06D61FF8 NtQueryInformationProcess,9_2_06D61FF8
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_06D61F43 NtQueryInformationProcess,9_2_06D61F43
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_0118DC1C0_2_0118DC1C
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_0561B4E00_2_0561B4E0
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_056184B80_2_056184B8
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_0561DED00_2_0561DED0
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_0561F1A00_2_0561F1A0
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_0561DEC00_2_0561DEC0
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_0561F1900_2_0561F190
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_0561D2280_2_0561D228
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_0769268C0_2_0769268C
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_076917400_2_07691740
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_076945280_2_07694528
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_076945180_2_07694518
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_0769D3080_2_0769D308
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_076912720_2_07691272
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_0769B2280_2_0769B228
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_0769D2F80_2_0769D2F8
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_076912800_2_07691280
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_076942820_2_07694282
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_076942900_2_07694290
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_07691FF00_2_07691FF0
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_07691FA20_2_07691FA2
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_07690E480_2_07690E48
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_07690E370_2_07690E37
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_0769ADE10_2_0769ADE1
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_0769ADF00_2_0769ADF0
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_0769CA200_2_0769CA20
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_0769CA300_2_0769CA30
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_0769A9B80_2_0769A9B8
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_0769A9850_2_0769A985
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_0EAF29580_2_0EAF2958
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004010306_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D9466_2_0041D946
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D9F36_2_0041D9F3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041E3C96_2_0041E3C9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041E5676_2_0041E567
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D5736_2_0041D573
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402D876_2_00402D87
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402D906_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409E5B6_2_00409E5B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409E606_2_00409E60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041E7D96_2_0041E7D9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402FB06_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015581586_2_01558158
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C01006_2_014C0100
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156A1186_2_0156A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015881CC6_2_015881CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015901AA6_2_015901AA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015841A26_2_015841A2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015620006_2_01562000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158A3526_2_0158A352
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE3F06_2_014DE3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015903E66_2_015903E6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015702746_2_01570274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015502C06_2_015502C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D05356_2_014D0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015905916_2_01590591
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015824466_2_01582446
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015744206_2_01574420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157E4F66_2_0157E4F6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F47506_2_014F4750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D07706_2_014D0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CC7C06_2_014CC7C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EC6E06_2_014EC6E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E69626_2_014E6962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D29A06_2_014D29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0159A9A66_2_0159A9A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D28406_2_014D2840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DA8406_2_014DA840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FE8F06_2_014FE8F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B68B86_2_014B68B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158AB406_2_0158AB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01586BD76_2_01586BD7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CEA806_2_014CEA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156CD1F6_2_0156CD1F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DAD006_2_014DAD00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CADE06_2_014CADE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E8DBF6_2_014E8DBF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0C006_2_014D0C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0CF26_2_014C0CF2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01570CB56_2_01570CB5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01544F406_2_01544F40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01572F306_2_01572F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01512F286_2_01512F28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0F306_2_014F0F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C2FC86_2_014C2FC8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154EFA06_2_0154EFA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0E596_2_014D0E59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158EE266_2_0158EE26
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158EEDB6_2_0158EEDB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158CE936_2_0158CE93
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E2E906_2_014E2E90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0159B16B6_2_0159B16B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BF1726_2_014BF172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150516C6_2_0150516C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DB1B06_2_014DB1B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D70C06_2_014D70C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157F0CC6_2_0157F0CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015870E96_2_015870E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158F0E06_2_0158F0E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BD34C6_2_014BD34C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158132D6_2_0158132D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151739A6_2_0151739A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EB2C06_2_014EB2C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015712ED6_2_015712ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014ED2F06_2_014ED2F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D52A06_2_014D52A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015875716_2_01587571
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015995C36_2_015995C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156D5B06_2_0156D5B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C14606_2_014C1460
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158F43F6_2_0158F43F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158F7B06_2_0158F7B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015156306_2_01515630
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015816CC6_2_015816CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D99506_2_014D9950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EB9506_2_014EB950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015659106_2_01565910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153D8006_2_0153D800
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D38E06_2_014D38E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158FB766_2_0158FB76
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01545BF06_2_01545BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150DBF96_2_0150DBF9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EFB806_2_014EFB80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158FA496_2_0158FA49
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01587A466_2_01587A46
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01543A6C6_2_01543A6C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157DAC66_2_0157DAC6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01515AA06_2_01515AA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01571AA36_2_01571AA3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156DAAC6_2_0156DAAC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01581D5A6_2_01581D5A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D3D406_2_014D3D40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01587D736_2_01587D73
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EFDC06_2_014EFDC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01549C326_2_01549C32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158FCF26_2_0158FCF2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158FF096_2_0158FF09
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01493FD26_2_01493FD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01493FD56_2_01493FD5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D1F926_2_014D1F92
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158FFB16_2_0158FFB1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D9EB06_2_014D9EB0
          Source: C:\Windows\explorer.exeCode function: 7_2_0E83E2327_2_0E83E232
          Source: C:\Windows\explorer.exeCode function: 7_2_0E838B327_2_0E838B32
          Source: C:\Windows\explorer.exeCode function: 7_2_0E838B307_2_0E838B30
          Source: C:\Windows\explorer.exeCode function: 7_2_0E8340827_2_0E834082
          Source: C:\Windows\explorer.exeCode function: 7_2_0E83D0367_2_0E83D036
          Source: C:\Windows\explorer.exeCode function: 7_2_0E8415CD7_2_0E8415CD
          Source: C:\Windows\explorer.exeCode function: 7_2_0E835D027_2_0E835D02
          Source: C:\Windows\explorer.exeCode function: 7_2_0E83B9127_2_0E83B912
          Source: C:\Windows\explorer.exeCode function: 7_2_0F6E8B327_2_0F6E8B32
          Source: C:\Windows\explorer.exeCode function: 7_2_0F6E8B307_2_0F6E8B30
          Source: C:\Windows\explorer.exeCode function: 7_2_0F6EE2327_2_0F6EE232
          Source: C:\Windows\explorer.exeCode function: 7_2_0F6E5D027_2_0F6E5D02
          Source: C:\Windows\explorer.exeCode function: 7_2_0F6EB9127_2_0F6EB912
          Source: C:\Windows\explorer.exeCode function: 7_2_0F6F15CD7_2_0F6F15CD
          Source: C:\Windows\explorer.exeCode function: 7_2_0F6ED0367_2_0F6ED036
          Source: C:\Windows\explorer.exeCode function: 7_2_0F6E40827_2_0F6E4082
          Source: C:\Windows\explorer.exeCode function: 7_2_0FCAC2327_2_0FCAC232
          Source: C:\Windows\explorer.exeCode function: 7_2_0FCAF5CD7_2_0FCAF5CD
          Source: C:\Windows\explorer.exeCode function: 7_2_0FCA3D027_2_0FCA3D02
          Source: C:\Windows\explorer.exeCode function: 7_2_0FCA99127_2_0FCA9912
          Source: C:\Windows\explorer.exeCode function: 7_2_0FCA6B327_2_0FCA6B32
          Source: C:\Windows\explorer.exeCode function: 7_2_0FCA6B307_2_0FCA6B30
          Source: C:\Windows\explorer.exeCode function: 7_2_0FCA20827_2_0FCA2082
          Source: C:\Windows\explorer.exeCode function: 7_2_0FCAB0367_2_0FCAB036
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_008ADC1C9_2_008ADC1C
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_026C7ED09_2_026C7ED0
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_026C01209_2_026C0120
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_026C01309_2_026C0130
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_052184B89_2_052184B8
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_0521B4E09_2_0521B4E0
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_0521DED09_2_0521DED0
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_0521F1A09_2_0521F1A0
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_0521DEC09_2_0521DEC0
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_0521F1909_2_0521F190
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_06D626BC9_2_06D626BC
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_06D645509_2_06D64550
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_06D645409_2_06D64540
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_06D642C09_2_06D642C0
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_06D642B39_2_06D642B3
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_06D6B2509_2_06D6B250
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_06D613589_2_06D61358
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_06D6D3309_2_06D6D330
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_06D620C89_2_06D620C8
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_06D6AE189_2_06D6AE18
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_06D6AE099_2_06D6AE09
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_06D60F109_2_06D60F10
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_06D60F209_2_06D60F20
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_06D6CA589_2_06D6CA58
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_06D6CA489_2_06D6CA48
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_06D618189_2_06D61818
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_06D618079_2_06D61807
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_06D6A9E09_2_06D6A9E0
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_06D6A9AD9_2_06D6A9AD
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeCode function: 9_2_0E621BB89_2_0E621BB8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01505130 appears 58 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0153EA12 appears 86 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01517E54 appears 107 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0154F290 appears 103 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 014BB970 appears 262 times
          Source: faktura proforma pdf.exe, 00000000.00000002.1742954449.000000000B560000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs faktura proforma pdf.exe
          Source: faktura proforma pdf.exe, 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs faktura proforma pdf.exe
          Source: faktura proforma pdf.exe, 00000000.00000002.1733508497.0000000000C4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs faktura proforma pdf.exe
          Source: faktura proforma pdf.exe, 00000000.00000002.1736105667.0000000002D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs faktura proforma pdf.exe
          Source: faktura proforma pdf.exeBinary or memory string: OriginalFilenamexRzP.exe* vs faktura proforma pdf.exe
          Source: faktura proforma pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.xmAdkuQjxrS.exe.41fb088.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.2.xmAdkuQjxrS.exe.41fb088.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.xmAdkuQjxrS.exe.41fb088.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.4157647117.000000000FCC4000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: Process Memory Space: faktura proforma pdf.exe PID: 2692, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: RegSvcs.exe PID: 7188, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: xmAdkuQjxrS.exe PID: 7332, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: mstsc.exe PID: 7524, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: raserver.exe PID: 7540, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: faktura proforma pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: xmAdkuQjxrS.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, lkSy2S4jDXNLhokqZE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, VPSRVttg1LtLEvE5p6.csSecurity API names: _0020.SetAccessControl
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, VPSRVttg1LtLEvE5p6.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, VPSRVttg1LtLEvE5p6.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, lkSy2S4jDXNLhokqZE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, VPSRVttg1LtLEvE5p6.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, VPSRVttg1LtLEvE5p6.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, VPSRVttg1LtLEvE5p6.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, lkSy2S4jDXNLhokqZE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, VPSRVttg1LtLEvE5p6.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, VPSRVttg1LtLEvE5p6.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, VPSRVttg1LtLEvE5p6.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, lkSy2S4jDXNLhokqZE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, VPSRVttg1LtLEvE5p6.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, VPSRVttg1LtLEvE5p6.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, VPSRVttg1LtLEvE5p6.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: classification engineClassification label: mal100.troj.evad.winEXE@23/11@11/0
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeFile created: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeMutant created: NULL
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeMutant created: \Sessions\1\BaseNamedObjects\YBJDWrmWsCm
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1376:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3852:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp69A7.tmpJump to behavior
          Source: faktura proforma pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: faktura proforma pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: faktura proforma pdf.exeReversingLabs: Detection: 34%
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeFile read: C:\Users\user\Desktop\faktura proforma pdf.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\faktura proforma pdf.exe "C:\Users\user\Desktop\faktura proforma pdf.exe"
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp69A7.tmp"
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp77D0.tmp"
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe"Jump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp69A7.tmp"Jump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp77D0.tmp"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: credui.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: cryptui.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: ktmw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: wtsapi32.dll
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: samcli.dll
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: netutils.dll
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: faktura proforma pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: faktura proforma pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: RegSvcs.pdb, source: explorer.exe, 00000007.00000002.4158146718.00000000110CF000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4143827334.000000000579F000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4142597154.00000000033E4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000003.1788289388.00000000050A3000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4143220844.0000000005250000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000003.1781032119.0000000004EF8000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4143220844.00000000053EE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000E.00000002.1791709211.00000000050CE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000E.00000003.1785605859.0000000004BCB000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000E.00000002.1791709211.0000000004F30000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000E.00000003.1789576741.0000000004D7C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000003.1788289388.00000000050A3000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4143220844.0000000005250000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000003.1781032119.0000000004EF8000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4143220844.00000000053EE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000E.00000002.1791709211.00000000050CE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000E.00000003.1785605859.0000000004BCB000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000E.00000002.1791709211.0000000004F30000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000E.00000003.1789576741.0000000004D7C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: RAServer.pdb source: RegSvcs.exe, 0000000C.00000002.1792619106.00000000017E0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.1788861011.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000E.00000002.1791022734.0000000000270000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: mstsc.pdbGCTL source: RegSvcs.exe, 00000006.00000002.1787815352.0000000003130000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4142141459.00000000008F0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: RegSvcs.pdb source: explorer.exe, 00000007.00000002.4158146718.00000000110CF000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4143827334.000000000579F000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4142597154.00000000033E4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mstsc.pdb source: RegSvcs.exe, 00000006.00000002.1787815352.0000000003130000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4142141459.00000000008F0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: RAServer.pdbGCTL source: RegSvcs.exe, 0000000C.00000002.1792619106.00000000017E0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.1788861011.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000E.00000002.1791022734.0000000000270000.00000040.80000000.00040000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, VPSRVttg1LtLEvE5p6.cs.Net Code: x0QXKL6ev7 System.Reflection.Assembly.Load(byte[])
          Source: 0.2.faktura proforma pdf.exe.3d50b90.1.raw.unpack, Uo.cs.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, VPSRVttg1LtLEvE5p6.cs.Net Code: x0QXKL6ev7 System.Reflection.Assembly.Load(byte[])
          Source: 0.2.faktura proforma pdf.exe.7320000.3.raw.unpack, Uo.cs.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, VPSRVttg1LtLEvE5p6.cs.Net Code: x0QXKL6ev7 System.Reflection.Assembly.Load(byte[])
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, VPSRVttg1LtLEvE5p6.cs.Net Code: x0QXKL6ev7 System.Reflection.Assembly.Load(byte[])
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_0118A340 pushfd ; iretd 0_2_0118A342
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_0118475B push ebp; iretd 0_2_01184762
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_01184791 push esi; iretd 0_2_01184792
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_01184659 push edx; iretd 0_2_0118465A
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_01184699 push edx; iretd 0_2_0118469A
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeCode function: 0_2_05616292 pushad ; retf 0_2_05616299
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041685B push edi; ret 6_2_00416876
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041703D push 0000002Ah; ret 6_2_0041703F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D946 push dword ptr [637AF8F0h]; ret 6_2_0041D944
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D9F3 push dword ptr [637AF8F0h]; ret 6_2_0041D944
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00416A1F pushfd ; ret 6_2_00416A20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041E3C9 push dword ptr [637AF8F0h]; ret 6_2_0041D944
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D4D2 push eax; ret 6_2_0041D4D8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D4DB push eax; ret 6_2_0041D542
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D485 push eax; ret 6_2_0041D4D8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041648C push es; iretd 6_2_00416492
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D573 push dword ptr [637AF8F0h]; ret 6_2_0041D944
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D53C push eax; ret 6_2_0041D542
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00418759 pushad ; iretd 6_2_0041875C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004167F8 push edi; ret 6_2_00416876
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0149225F pushad ; ret 6_2_014927F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014927FA pushad ; ret 6_2_014927F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C09AD push ecx; mov dword ptr [esp], ecx6_2_014C09B6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0149283D push eax; iretd 6_2_01492858
          Source: C:\Windows\explorer.exeCode function: 7_2_0E841B02 push esp; retn 0000h7_2_0E841B03
          Source: C:\Windows\explorer.exeCode function: 7_2_0E841B1E push esp; retn 0000h7_2_0E841B1F
          Source: C:\Windows\explorer.exeCode function: 7_2_0E8419B5 push esp; retn 0000h7_2_0E841AE7
          Source: C:\Windows\explorer.exeCode function: 7_2_0F6F1B02 push esp; retn 0000h7_2_0F6F1B03
          Source: C:\Windows\explorer.exeCode function: 7_2_0F6F1B1E push esp; retn 0000h7_2_0F6F1B1F
          Source: C:\Windows\explorer.exeCode function: 7_2_0F6F19B5 push esp; retn 0000h7_2_0F6F1AE7
          Source: C:\Windows\explorer.exeCode function: 7_2_0FCAF9B5 push esp; retn 0000h7_2_0FCAFAE7
          Source: faktura proforma pdf.exeStatic PE information: section name: .text entropy: 7.97774115801193
          Source: xmAdkuQjxrS.exe.0.drStatic PE information: section name: .text entropy: 7.97774115801193
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, FMyhnsUxgMA6O8A9GH.csHigh entropy of concatenated method names: 'WbJNAQ7kCD', 'Oq0NoA14fC', 'HafNQt5gOY', 'XGTNhN7NKw', 'yblNfSp071', 'rvrNZSIk5y', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, DOo1k736pip6ICyI6b.csHigh entropy of concatenated method names: 'eYI836nBBa', 'Qrl8jBal2Z', 'Xvf8DomcW2', 'iFL8p6uf65', 'Sln8RcajZV', 'wbT8Fh70FP', 'Ioc8mclGEv', 'Hwp8N4Ryw9', 'StC8BJ6SsR', 'Wk68Cgnghf'
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, CcAfC1OrNeHV7bQuJk.csHigh entropy of concatenated method names: 'TaAPqhrjjq', 'F1hPctVLDx', 'dmnP0UxeCe', 'eTKP2LytVZ', 'IB6PRb5MqW', 'zwrPFUHFOS', 'ObLQ6R4g1niwcadnyj', 'k3j8G9uY7RurgnGcca', 'st0PPJnoaV', 'tO3PtAfenI'
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, kjQP3XvYlJsebvrJgI.csHigh entropy of concatenated method names: 'nU5NnFOdxi', 'i9yNJWHQmB', 'n6SN8f1RJe', 'CmQNUyW3Ke', 'OjDNlRQEEm', 'jYfNq6cIjY', 'i8JNcLTdg4', 'KCSNVev2uT', 'dkAN0u2pLH', 'jvtN2S1Ggi'
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, VPSRVttg1LtLEvE5p6.csHigh entropy of concatenated method names: 'hDst7t3gsu', 'wONtnSi8tR', 'pVttJTIsjm', 'riNt8FATbN', 'tW6tU9xY5I', 'WuTtlR3svy', 'w1qtqIEpTl', 'CIOtcpov05', 'LvXtVA87aF', 'T76t0AEZyb'
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, KO2KmAhG1EsYFfTuj0.csHigh entropy of concatenated method names: 'exElvl6Sx2', 'B9Xl4b1DOw', 'phtlK5arW1', 'Qb4l3Fi6la', 'vo6ljqYcL0', 'N95l56BQsV', 'd46lpv7TGa', 'zP2lxPeMW3', 'RY1AQMCIBkvci8GkOXi', 'gF2i2uCNaXXGqlehIYb'
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, wmMGZOVAEqfjbWjTXT.csHigh entropy of concatenated method names: 'lUJqn1mir5', 'R8Nq8pFB2e', 'Lf5ql5Bt6j', 'ylflwsnwqr', 'Q4nlzhk7gh', 'HX0qIN4Q0U', 'S5tqPH71e3', 'YyVq1YQjeK', 'cbEqtf4hHB', 'AZCqXgMfSd'
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, x8aOvJwTL6qZyb9b1N.csHigh entropy of concatenated method names: 'mgrq4RMmQZ', 'nNcqu2uIKb', 'f6wqKUHppg', 'uvtq3UQEv3', 'nQWqgR76JE', 'f1BqjEjYJc', 'i66q5aqXA4', 'xAJqDVlc2T', 'r51qpvhRca', 'leBqxxtbaQ'
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, RZLMukS7XMclQYg4eD.csHigh entropy of concatenated method names: 'wQNBPXSfGo', 'HNQBtQMYuI', 'CJbBXeiwsX', 'fkUBn5xsWj', 'l96BJQRAfT', 'VgWBUqcw9J', 'vXNBl7waxh', 'uLXNEHC6wO', 'FXZNkyjsxs', 'RpwNMEFeee'
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, c0jyp8jGb8Bw0VYbsp.csHigh entropy of concatenated method names: 'Dispose', 'pKAPMGnyET', 'tLP1oKnany', 'SSFHHxN76t', 'IGQPwMJPFP', 'XDWPzGs3bc', 'ProcessDialogKey', 'PRc1IIvOv9', 'CUO1P7HFpM', 'UcN11NGDh7'
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, LWQJq7cibjCtlnPLtrc.csHigh entropy of concatenated method names: 'iugB40l1Rw', 'vbKBuGxT2D', 'oCbBKxihko', 'KuxB3kxyW5', 'YRXBgeR6oD', 'ms1BjedPXj', 'iBeB5cYQkW', 'BAxBDaeg0o', 'nyqBpVdjXI', 'CDKBxmb7B5'
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, dHSW6m6n0RQuICnouD.csHigh entropy of concatenated method names: 'qCtmknviMM', 'XltmwFtKUk', 'EjyNIogVts', 'U1gNP7YWhK', 'h4Dm6HNCnE', 'rPsmy6jFYR', 'ugcmsmPr0E', 'N5imfe47I6', 'UeTmTvUmRx', 'RqZmW6XOAI'
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, Ah72wsQxdG1EWBZjQc.csHigh entropy of concatenated method names: 'T9TeDv4pd7', 'CA7ep9iqUd', 'q8teAWZ6Ra', 'AmVeoi7efr', 'lxeehWaGlU', 'GY5eZ1vBot', 'G1cerCmgJ4', 'ftaeiwVnoc', 'ALNeL7VJAe', 'aoce65kZQT'
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, GpWooulZSBMfpZYOqI.csHigh entropy of concatenated method names: 'QJxl7RUA1j', 'qsPlJu3VJd', 'hfllUeuytr', 'jYDlqUybxU', 'l7nlce2K4e', 'tb4Ub4Nj6A', 'QXXUO2VbmH', 'OYAUEwsRyi', 'fW1Uks3JEQ', 'BVKUM0Jgld'
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, rinCIsxKt2b2sY0kNr.csHigh entropy of concatenated method names: 'ORMKGuhWw', 'AMr3hvwIZ', 'x5ejjyqLn', 'tVL5jjytI', 'd6tp2A4ov', 'cx0xNwssK', 'sci4UYywI2Q4IYFEtP', 'NV8t9OcHju3F3BGbXQ', 'DPANKprnU', 'NTsCqF8On'
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, QEwiPrzwevouwMIeAy.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JP6BeNjCAC', 'UtsBRf170h', 'IO6BFOvs8p', 'FvxBmKQbTc', 'LLKBNbNFG6', 'FnaBBPjfHZ', 'gMIBCGSStP'
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, oOAciwf8r4hTgD9C4H.csHigh entropy of concatenated method names: 'pylRLr1tFi', 'WcORycGa49', 'TcnRfb892E', 'twhRTpHNnG', 'ecNRow2hs2', 'RqYRQJmXCt', 'GI0RhUrbo7', 'KGvRZRI7Cu', 'b3bRYiWoLt', 'LoNRrvkDqm'
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, Dn5S64c2THrPeWHTug2.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xnGCfNnZJr', 'NPZCTkM0QE', 'yWwCWddwfA', 'pUnCG0qUVa', 'trDCbkqXG7', 'KukCOcwbM9', 'Yo4CEsFPLN'
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, GK88Kn16WEEAbPvejc.csHigh entropy of concatenated method names: 'Mutm0LN3Jy', 'dR2m2xs5hs', 'ToString', 'pBomnyAtkY', 'XN0mJTbJUp', 'W9em8v4jVP', 'g04mUq0sN1', 'U7ImlCOnox', 'wYmmqCvceV', 'PAUmclGk63'
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, OMnd3l81OsuRldy2rR.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pFo1MD0sVo', 'EPA1w3sxTZ', 'UwW1zNiNq7', 'n6StIaQC9O', 'bTctPZtRVW', 'WJSt1iHv7V', 'DlWttSkFnj', 'GSDEfyVsoGuhi8QgZM7'
          Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, lkSy2S4jDXNLhokqZE.csHigh entropy of concatenated method names: 'OFPJfkXMcN', 'c6OJTPY9Y3', 'QgaJWfYKoI', 'KdGJGOfrGU', 'EqVJbWtTdl', 'MgqJO4JWKF', 'buWJEnrtdX', 'LuQJkMQ4cY', 'mvNJMK4Jjn', 'r57Jwnoyrs'
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, FMyhnsUxgMA6O8A9GH.csHigh entropy of concatenated method names: 'WbJNAQ7kCD', 'Oq0NoA14fC', 'HafNQt5gOY', 'XGTNhN7NKw', 'yblNfSp071', 'rvrNZSIk5y', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, DOo1k736pip6ICyI6b.csHigh entropy of concatenated method names: 'eYI836nBBa', 'Qrl8jBal2Z', 'Xvf8DomcW2', 'iFL8p6uf65', 'Sln8RcajZV', 'wbT8Fh70FP', 'Ioc8mclGEv', 'Hwp8N4Ryw9', 'StC8BJ6SsR', 'Wk68Cgnghf'
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, CcAfC1OrNeHV7bQuJk.csHigh entropy of concatenated method names: 'TaAPqhrjjq', 'F1hPctVLDx', 'dmnP0UxeCe', 'eTKP2LytVZ', 'IB6PRb5MqW', 'zwrPFUHFOS', 'ObLQ6R4g1niwcadnyj', 'k3j8G9uY7RurgnGcca', 'st0PPJnoaV', 'tO3PtAfenI'
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, kjQP3XvYlJsebvrJgI.csHigh entropy of concatenated method names: 'nU5NnFOdxi', 'i9yNJWHQmB', 'n6SN8f1RJe', 'CmQNUyW3Ke', 'OjDNlRQEEm', 'jYfNq6cIjY', 'i8JNcLTdg4', 'KCSNVev2uT', 'dkAN0u2pLH', 'jvtN2S1Ggi'
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, VPSRVttg1LtLEvE5p6.csHigh entropy of concatenated method names: 'hDst7t3gsu', 'wONtnSi8tR', 'pVttJTIsjm', 'riNt8FATbN', 'tW6tU9xY5I', 'WuTtlR3svy', 'w1qtqIEpTl', 'CIOtcpov05', 'LvXtVA87aF', 'T76t0AEZyb'
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, KO2KmAhG1EsYFfTuj0.csHigh entropy of concatenated method names: 'exElvl6Sx2', 'B9Xl4b1DOw', 'phtlK5arW1', 'Qb4l3Fi6la', 'vo6ljqYcL0', 'N95l56BQsV', 'd46lpv7TGa', 'zP2lxPeMW3', 'RY1AQMCIBkvci8GkOXi', 'gF2i2uCNaXXGqlehIYb'
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, wmMGZOVAEqfjbWjTXT.csHigh entropy of concatenated method names: 'lUJqn1mir5', 'R8Nq8pFB2e', 'Lf5ql5Bt6j', 'ylflwsnwqr', 'Q4nlzhk7gh', 'HX0qIN4Q0U', 'S5tqPH71e3', 'YyVq1YQjeK', 'cbEqtf4hHB', 'AZCqXgMfSd'
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, x8aOvJwTL6qZyb9b1N.csHigh entropy of concatenated method names: 'mgrq4RMmQZ', 'nNcqu2uIKb', 'f6wqKUHppg', 'uvtq3UQEv3', 'nQWqgR76JE', 'f1BqjEjYJc', 'i66q5aqXA4', 'xAJqDVlc2T', 'r51qpvhRca', 'leBqxxtbaQ'
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, RZLMukS7XMclQYg4eD.csHigh entropy of concatenated method names: 'wQNBPXSfGo', 'HNQBtQMYuI', 'CJbBXeiwsX', 'fkUBn5xsWj', 'l96BJQRAfT', 'VgWBUqcw9J', 'vXNBl7waxh', 'uLXNEHC6wO', 'FXZNkyjsxs', 'RpwNMEFeee'
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, c0jyp8jGb8Bw0VYbsp.csHigh entropy of concatenated method names: 'Dispose', 'pKAPMGnyET', 'tLP1oKnany', 'SSFHHxN76t', 'IGQPwMJPFP', 'XDWPzGs3bc', 'ProcessDialogKey', 'PRc1IIvOv9', 'CUO1P7HFpM', 'UcN11NGDh7'
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, LWQJq7cibjCtlnPLtrc.csHigh entropy of concatenated method names: 'iugB40l1Rw', 'vbKBuGxT2D', 'oCbBKxihko', 'KuxB3kxyW5', 'YRXBgeR6oD', 'ms1BjedPXj', 'iBeB5cYQkW', 'BAxBDaeg0o', 'nyqBpVdjXI', 'CDKBxmb7B5'
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, dHSW6m6n0RQuICnouD.csHigh entropy of concatenated method names: 'qCtmknviMM', 'XltmwFtKUk', 'EjyNIogVts', 'U1gNP7YWhK', 'h4Dm6HNCnE', 'rPsmy6jFYR', 'ugcmsmPr0E', 'N5imfe47I6', 'UeTmTvUmRx', 'RqZmW6XOAI'
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, Ah72wsQxdG1EWBZjQc.csHigh entropy of concatenated method names: 'T9TeDv4pd7', 'CA7ep9iqUd', 'q8teAWZ6Ra', 'AmVeoi7efr', 'lxeehWaGlU', 'GY5eZ1vBot', 'G1cerCmgJ4', 'ftaeiwVnoc', 'ALNeL7VJAe', 'aoce65kZQT'
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, GpWooulZSBMfpZYOqI.csHigh entropy of concatenated method names: 'QJxl7RUA1j', 'qsPlJu3VJd', 'hfllUeuytr', 'jYDlqUybxU', 'l7nlce2K4e', 'tb4Ub4Nj6A', 'QXXUO2VbmH', 'OYAUEwsRyi', 'fW1Uks3JEQ', 'BVKUM0Jgld'
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, rinCIsxKt2b2sY0kNr.csHigh entropy of concatenated method names: 'ORMKGuhWw', 'AMr3hvwIZ', 'x5ejjyqLn', 'tVL5jjytI', 'd6tp2A4ov', 'cx0xNwssK', 'sci4UYywI2Q4IYFEtP', 'NV8t9OcHju3F3BGbXQ', 'DPANKprnU', 'NTsCqF8On'
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, QEwiPrzwevouwMIeAy.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JP6BeNjCAC', 'UtsBRf170h', 'IO6BFOvs8p', 'FvxBmKQbTc', 'LLKBNbNFG6', 'FnaBBPjfHZ', 'gMIBCGSStP'
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, oOAciwf8r4hTgD9C4H.csHigh entropy of concatenated method names: 'pylRLr1tFi', 'WcORycGa49', 'TcnRfb892E', 'twhRTpHNnG', 'ecNRow2hs2', 'RqYRQJmXCt', 'GI0RhUrbo7', 'KGvRZRI7Cu', 'b3bRYiWoLt', 'LoNRrvkDqm'
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, Dn5S64c2THrPeWHTug2.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xnGCfNnZJr', 'NPZCTkM0QE', 'yWwCWddwfA', 'pUnCG0qUVa', 'trDCbkqXG7', 'KukCOcwbM9', 'Yo4CEsFPLN'
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, GK88Kn16WEEAbPvejc.csHigh entropy of concatenated method names: 'Mutm0LN3Jy', 'dR2m2xs5hs', 'ToString', 'pBomnyAtkY', 'XN0mJTbJUp', 'W9em8v4jVP', 'g04mUq0sN1', 'U7ImlCOnox', 'wYmmqCvceV', 'PAUmclGk63'
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, OMnd3l81OsuRldy2rR.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pFo1MD0sVo', 'EPA1w3sxTZ', 'UwW1zNiNq7', 'n6StIaQC9O', 'bTctPZtRVW', 'WJSt1iHv7V', 'DlWttSkFnj', 'GSDEfyVsoGuhi8QgZM7'
          Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, lkSy2S4jDXNLhokqZE.csHigh entropy of concatenated method names: 'OFPJfkXMcN', 'c6OJTPY9Y3', 'QgaJWfYKoI', 'KdGJGOfrGU', 'EqVJbWtTdl', 'MgqJO4JWKF', 'buWJEnrtdX', 'LuQJkMQ4cY', 'mvNJMK4Jjn', 'r57Jwnoyrs'
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, FMyhnsUxgMA6O8A9GH.csHigh entropy of concatenated method names: 'WbJNAQ7kCD', 'Oq0NoA14fC', 'HafNQt5gOY', 'XGTNhN7NKw', 'yblNfSp071', 'rvrNZSIk5y', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, DOo1k736pip6ICyI6b.csHigh entropy of concatenated method names: 'eYI836nBBa', 'Qrl8jBal2Z', 'Xvf8DomcW2', 'iFL8p6uf65', 'Sln8RcajZV', 'wbT8Fh70FP', 'Ioc8mclGEv', 'Hwp8N4Ryw9', 'StC8BJ6SsR', 'Wk68Cgnghf'
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, CcAfC1OrNeHV7bQuJk.csHigh entropy of concatenated method names: 'TaAPqhrjjq', 'F1hPctVLDx', 'dmnP0UxeCe', 'eTKP2LytVZ', 'IB6PRb5MqW', 'zwrPFUHFOS', 'ObLQ6R4g1niwcadnyj', 'k3j8G9uY7RurgnGcca', 'st0PPJnoaV', 'tO3PtAfenI'
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, kjQP3XvYlJsebvrJgI.csHigh entropy of concatenated method names: 'nU5NnFOdxi', 'i9yNJWHQmB', 'n6SN8f1RJe', 'CmQNUyW3Ke', 'OjDNlRQEEm', 'jYfNq6cIjY', 'i8JNcLTdg4', 'KCSNVev2uT', 'dkAN0u2pLH', 'jvtN2S1Ggi'
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, VPSRVttg1LtLEvE5p6.csHigh entropy of concatenated method names: 'hDst7t3gsu', 'wONtnSi8tR', 'pVttJTIsjm', 'riNt8FATbN', 'tW6tU9xY5I', 'WuTtlR3svy', 'w1qtqIEpTl', 'CIOtcpov05', 'LvXtVA87aF', 'T76t0AEZyb'
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, KO2KmAhG1EsYFfTuj0.csHigh entropy of concatenated method names: 'exElvl6Sx2', 'B9Xl4b1DOw', 'phtlK5arW1', 'Qb4l3Fi6la', 'vo6ljqYcL0', 'N95l56BQsV', 'd46lpv7TGa', 'zP2lxPeMW3', 'RY1AQMCIBkvci8GkOXi', 'gF2i2uCNaXXGqlehIYb'
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, wmMGZOVAEqfjbWjTXT.csHigh entropy of concatenated method names: 'lUJqn1mir5', 'R8Nq8pFB2e', 'Lf5ql5Bt6j', 'ylflwsnwqr', 'Q4nlzhk7gh', 'HX0qIN4Q0U', 'S5tqPH71e3', 'YyVq1YQjeK', 'cbEqtf4hHB', 'AZCqXgMfSd'
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, x8aOvJwTL6qZyb9b1N.csHigh entropy of concatenated method names: 'mgrq4RMmQZ', 'nNcqu2uIKb', 'f6wqKUHppg', 'uvtq3UQEv3', 'nQWqgR76JE', 'f1BqjEjYJc', 'i66q5aqXA4', 'xAJqDVlc2T', 'r51qpvhRca', 'leBqxxtbaQ'
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, RZLMukS7XMclQYg4eD.csHigh entropy of concatenated method names: 'wQNBPXSfGo', 'HNQBtQMYuI', 'CJbBXeiwsX', 'fkUBn5xsWj', 'l96BJQRAfT', 'VgWBUqcw9J', 'vXNBl7waxh', 'uLXNEHC6wO', 'FXZNkyjsxs', 'RpwNMEFeee'
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, c0jyp8jGb8Bw0VYbsp.csHigh entropy of concatenated method names: 'Dispose', 'pKAPMGnyET', 'tLP1oKnany', 'SSFHHxN76t', 'IGQPwMJPFP', 'XDWPzGs3bc', 'ProcessDialogKey', 'PRc1IIvOv9', 'CUO1P7HFpM', 'UcN11NGDh7'
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, LWQJq7cibjCtlnPLtrc.csHigh entropy of concatenated method names: 'iugB40l1Rw', 'vbKBuGxT2D', 'oCbBKxihko', 'KuxB3kxyW5', 'YRXBgeR6oD', 'ms1BjedPXj', 'iBeB5cYQkW', 'BAxBDaeg0o', 'nyqBpVdjXI', 'CDKBxmb7B5'
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, dHSW6m6n0RQuICnouD.csHigh entropy of concatenated method names: 'qCtmknviMM', 'XltmwFtKUk', 'EjyNIogVts', 'U1gNP7YWhK', 'h4Dm6HNCnE', 'rPsmy6jFYR', 'ugcmsmPr0E', 'N5imfe47I6', 'UeTmTvUmRx', 'RqZmW6XOAI'
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, Ah72wsQxdG1EWBZjQc.csHigh entropy of concatenated method names: 'T9TeDv4pd7', 'CA7ep9iqUd', 'q8teAWZ6Ra', 'AmVeoi7efr', 'lxeehWaGlU', 'GY5eZ1vBot', 'G1cerCmgJ4', 'ftaeiwVnoc', 'ALNeL7VJAe', 'aoce65kZQT'
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, GpWooulZSBMfpZYOqI.csHigh entropy of concatenated method names: 'QJxl7RUA1j', 'qsPlJu3VJd', 'hfllUeuytr', 'jYDlqUybxU', 'l7nlce2K4e', 'tb4Ub4Nj6A', 'QXXUO2VbmH', 'OYAUEwsRyi', 'fW1Uks3JEQ', 'BVKUM0Jgld'
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, rinCIsxKt2b2sY0kNr.csHigh entropy of concatenated method names: 'ORMKGuhWw', 'AMr3hvwIZ', 'x5ejjyqLn', 'tVL5jjytI', 'd6tp2A4ov', 'cx0xNwssK', 'sci4UYywI2Q4IYFEtP', 'NV8t9OcHju3F3BGbXQ', 'DPANKprnU', 'NTsCqF8On'
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, QEwiPrzwevouwMIeAy.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JP6BeNjCAC', 'UtsBRf170h', 'IO6BFOvs8p', 'FvxBmKQbTc', 'LLKBNbNFG6', 'FnaBBPjfHZ', 'gMIBCGSStP'
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, oOAciwf8r4hTgD9C4H.csHigh entropy of concatenated method names: 'pylRLr1tFi', 'WcORycGa49', 'TcnRfb892E', 'twhRTpHNnG', 'ecNRow2hs2', 'RqYRQJmXCt', 'GI0RhUrbo7', 'KGvRZRI7Cu', 'b3bRYiWoLt', 'LoNRrvkDqm'
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, Dn5S64c2THrPeWHTug2.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xnGCfNnZJr', 'NPZCTkM0QE', 'yWwCWddwfA', 'pUnCG0qUVa', 'trDCbkqXG7', 'KukCOcwbM9', 'Yo4CEsFPLN'
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, GK88Kn16WEEAbPvejc.csHigh entropy of concatenated method names: 'Mutm0LN3Jy', 'dR2m2xs5hs', 'ToString', 'pBomnyAtkY', 'XN0mJTbJUp', 'W9em8v4jVP', 'g04mUq0sN1', 'U7ImlCOnox', 'wYmmqCvceV', 'PAUmclGk63'
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, OMnd3l81OsuRldy2rR.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pFo1MD0sVo', 'EPA1w3sxTZ', 'UwW1zNiNq7', 'n6StIaQC9O', 'bTctPZtRVW', 'WJSt1iHv7V', 'DlWttSkFnj', 'GSDEfyVsoGuhi8QgZM7'
          Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, lkSy2S4jDXNLhokqZE.csHigh entropy of concatenated method names: 'OFPJfkXMcN', 'c6OJTPY9Y3', 'QgaJWfYKoI', 'KdGJGOfrGU', 'EqVJbWtTdl', 'MgqJO4JWKF', 'buWJEnrtdX', 'LuQJkMQ4cY', 'mvNJMK4Jjn', 'r57Jwnoyrs'
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, FMyhnsUxgMA6O8A9GH.csHigh entropy of concatenated method names: 'WbJNAQ7kCD', 'Oq0NoA14fC', 'HafNQt5gOY', 'XGTNhN7NKw', 'yblNfSp071', 'rvrNZSIk5y', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, DOo1k736pip6ICyI6b.csHigh entropy of concatenated method names: 'eYI836nBBa', 'Qrl8jBal2Z', 'Xvf8DomcW2', 'iFL8p6uf65', 'Sln8RcajZV', 'wbT8Fh70FP', 'Ioc8mclGEv', 'Hwp8N4Ryw9', 'StC8BJ6SsR', 'Wk68Cgnghf'
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, CcAfC1OrNeHV7bQuJk.csHigh entropy of concatenated method names: 'TaAPqhrjjq', 'F1hPctVLDx', 'dmnP0UxeCe', 'eTKP2LytVZ', 'IB6PRb5MqW', 'zwrPFUHFOS', 'ObLQ6R4g1niwcadnyj', 'k3j8G9uY7RurgnGcca', 'st0PPJnoaV', 'tO3PtAfenI'
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, kjQP3XvYlJsebvrJgI.csHigh entropy of concatenated method names: 'nU5NnFOdxi', 'i9yNJWHQmB', 'n6SN8f1RJe', 'CmQNUyW3Ke', 'OjDNlRQEEm', 'jYfNq6cIjY', 'i8JNcLTdg4', 'KCSNVev2uT', 'dkAN0u2pLH', 'jvtN2S1Ggi'
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, VPSRVttg1LtLEvE5p6.csHigh entropy of concatenated method names: 'hDst7t3gsu', 'wONtnSi8tR', 'pVttJTIsjm', 'riNt8FATbN', 'tW6tU9xY5I', 'WuTtlR3svy', 'w1qtqIEpTl', 'CIOtcpov05', 'LvXtVA87aF', 'T76t0AEZyb'
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, KO2KmAhG1EsYFfTuj0.csHigh entropy of concatenated method names: 'exElvl6Sx2', 'B9Xl4b1DOw', 'phtlK5arW1', 'Qb4l3Fi6la', 'vo6ljqYcL0', 'N95l56BQsV', 'd46lpv7TGa', 'zP2lxPeMW3', 'RY1AQMCIBkvci8GkOXi', 'gF2i2uCNaXXGqlehIYb'
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, wmMGZOVAEqfjbWjTXT.csHigh entropy of concatenated method names: 'lUJqn1mir5', 'R8Nq8pFB2e', 'Lf5ql5Bt6j', 'ylflwsnwqr', 'Q4nlzhk7gh', 'HX0qIN4Q0U', 'S5tqPH71e3', 'YyVq1YQjeK', 'cbEqtf4hHB', 'AZCqXgMfSd'
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, x8aOvJwTL6qZyb9b1N.csHigh entropy of concatenated method names: 'mgrq4RMmQZ', 'nNcqu2uIKb', 'f6wqKUHppg', 'uvtq3UQEv3', 'nQWqgR76JE', 'f1BqjEjYJc', 'i66q5aqXA4', 'xAJqDVlc2T', 'r51qpvhRca', 'leBqxxtbaQ'
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, RZLMukS7XMclQYg4eD.csHigh entropy of concatenated method names: 'wQNBPXSfGo', 'HNQBtQMYuI', 'CJbBXeiwsX', 'fkUBn5xsWj', 'l96BJQRAfT', 'VgWBUqcw9J', 'vXNBl7waxh', 'uLXNEHC6wO', 'FXZNkyjsxs', 'RpwNMEFeee'
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, c0jyp8jGb8Bw0VYbsp.csHigh entropy of concatenated method names: 'Dispose', 'pKAPMGnyET', 'tLP1oKnany', 'SSFHHxN76t', 'IGQPwMJPFP', 'XDWPzGs3bc', 'ProcessDialogKey', 'PRc1IIvOv9', 'CUO1P7HFpM', 'UcN11NGDh7'
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, LWQJq7cibjCtlnPLtrc.csHigh entropy of concatenated method names: 'iugB40l1Rw', 'vbKBuGxT2D', 'oCbBKxihko', 'KuxB3kxyW5', 'YRXBgeR6oD', 'ms1BjedPXj', 'iBeB5cYQkW', 'BAxBDaeg0o', 'nyqBpVdjXI', 'CDKBxmb7B5'
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, dHSW6m6n0RQuICnouD.csHigh entropy of concatenated method names: 'qCtmknviMM', 'XltmwFtKUk', 'EjyNIogVts', 'U1gNP7YWhK', 'h4Dm6HNCnE', 'rPsmy6jFYR', 'ugcmsmPr0E', 'N5imfe47I6', 'UeTmTvUmRx', 'RqZmW6XOAI'
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, Ah72wsQxdG1EWBZjQc.csHigh entropy of concatenated method names: 'T9TeDv4pd7', 'CA7ep9iqUd', 'q8teAWZ6Ra', 'AmVeoi7efr', 'lxeehWaGlU', 'GY5eZ1vBot', 'G1cerCmgJ4', 'ftaeiwVnoc', 'ALNeL7VJAe', 'aoce65kZQT'
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, GpWooulZSBMfpZYOqI.csHigh entropy of concatenated method names: 'QJxl7RUA1j', 'qsPlJu3VJd', 'hfllUeuytr', 'jYDlqUybxU', 'l7nlce2K4e', 'tb4Ub4Nj6A', 'QXXUO2VbmH', 'OYAUEwsRyi', 'fW1Uks3JEQ', 'BVKUM0Jgld'
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, rinCIsxKt2b2sY0kNr.csHigh entropy of concatenated method names: 'ORMKGuhWw', 'AMr3hvwIZ', 'x5ejjyqLn', 'tVL5jjytI', 'd6tp2A4ov', 'cx0xNwssK', 'sci4UYywI2Q4IYFEtP', 'NV8t9OcHju3F3BGbXQ', 'DPANKprnU', 'NTsCqF8On'
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, QEwiPrzwevouwMIeAy.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JP6BeNjCAC', 'UtsBRf170h', 'IO6BFOvs8p', 'FvxBmKQbTc', 'LLKBNbNFG6', 'FnaBBPjfHZ', 'gMIBCGSStP'
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, oOAciwf8r4hTgD9C4H.csHigh entropy of concatenated method names: 'pylRLr1tFi', 'WcORycGa49', 'TcnRfb892E', 'twhRTpHNnG', 'ecNRow2hs2', 'RqYRQJmXCt', 'GI0RhUrbo7', 'KGvRZRI7Cu', 'b3bRYiWoLt', 'LoNRrvkDqm'
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, Dn5S64c2THrPeWHTug2.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xnGCfNnZJr', 'NPZCTkM0QE', 'yWwCWddwfA', 'pUnCG0qUVa', 'trDCbkqXG7', 'KukCOcwbM9', 'Yo4CEsFPLN'
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, GK88Kn16WEEAbPvejc.csHigh entropy of concatenated method names: 'Mutm0LN3Jy', 'dR2m2xs5hs', 'ToString', 'pBomnyAtkY', 'XN0mJTbJUp', 'W9em8v4jVP', 'g04mUq0sN1', 'U7ImlCOnox', 'wYmmqCvceV', 'PAUmclGk63'
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, OMnd3l81OsuRldy2rR.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pFo1MD0sVo', 'EPA1w3sxTZ', 'UwW1zNiNq7', 'n6StIaQC9O', 'bTctPZtRVW', 'WJSt1iHv7V', 'DlWttSkFnj', 'GSDEfyVsoGuhi8QgZM7'
          Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, lkSy2S4jDXNLhokqZE.csHigh entropy of concatenated method names: 'OFPJfkXMcN', 'c6OJTPY9Y3', 'QgaJWfYKoI', 'KdGJGOfrGU', 'EqVJbWtTdl', 'MgqJO4JWKF', 'buWJEnrtdX', 'LuQJkMQ4cY', 'mvNJMK4Jjn', 'r57Jwnoyrs'
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeFile created: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeJump to dropped file

          Boot Survival

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedules
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp69A7.tmp"

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: faktura proforma pdf.exe PID: 2692, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: xmAdkuQjxrS.exe PID: 7332, type: MEMORYSTR
          Switches to a custom stack to bypass stack traces
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 32C9904 second address: 32C990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 3009904 second address: 300990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 32C9B7E second address: 32C9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 3009B7E second address: 3009B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeMemory allocated: 1180000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeMemory allocated: 2D30000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeMemory allocated: 2B30000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeMemory allocated: 8B80000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeMemory allocated: 7490000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeMemory allocated: 9B80000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeMemory allocated: AB80000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeMemory allocated: B5F0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeMemory allocated: C5F0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeMemory allocated: D5F0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeMemory allocated: 8A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeMemory allocated: 2790000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeMemory allocated: 4790000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeMemory allocated: 81B0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeMemory allocated: 6B80000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeMemory allocated: 91B0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeMemory allocated: A1B0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeMemory allocated: ABC0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeMemory allocated: BBC0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeMemory allocated: CBC0000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409AB0 rdtsc 6_2_00409AB0
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6832Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2911Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 3696Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 6247Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 893Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 857Jump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeWindow / User API: threadDelayed 9819
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 1.7 %
          Source: C:\Users\user\Desktop\faktura proforma pdf.exe TID: 4944Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7216Thread sleep time: -5534023222112862s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 7832Thread sleep count: 3696 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 7832Thread sleep time: -7392000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 7832Thread sleep count: 6247 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 7832Thread sleep time: -12494000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe TID: 7352Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exe TID: 7656Thread sleep count: 153 > 30
          Source: C:\Windows\SysWOW64\mstsc.exe TID: 7656Thread sleep time: -306000s >= -30000s
          Source: C:\Windows\SysWOW64\mstsc.exe TID: 7656Thread sleep count: 9819 > 30
          Source: C:\Windows\SysWOW64\mstsc.exe TID: 7656Thread sleep time: -19638000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000007.00000000.1726963968.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000007.00000003.3111719104.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
          Source: explorer.exe, 00000007.00000003.3111719104.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
          Source: explorer.exe, 00000007.00000000.1720478261.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
          Source: explorer.exe, 00000007.00000000.1726963968.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000007.00000000.1716988722.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
          Source: explorer.exe, 00000007.00000000.1720478261.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000000.1726963968.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000007.00000000.1720478261.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
          Source: explorer.exe, 00000007.00000003.3111719104.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
          Source: explorer.exe, 00000007.00000002.4149087756.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111719104.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4149087756.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111719104.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.00000000097D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000007.00000000.1726963968.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000007.00000002.4145487064.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
          Source: explorer.exe, 00000007.00000000.1725514053.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
          Source: explorer.exe, 00000007.00000000.1716988722.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000007.00000000.1716988722.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409AB0 rdtsc 6_2_00409AB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040ACF0 LdrLoadDll,6_2_0040ACF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01558158 mov eax, dword ptr fs:[00000030h]6_2_01558158
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01554144 mov eax, dword ptr fs:[00000030h]6_2_01554144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01554144 mov eax, dword ptr fs:[00000030h]6_2_01554144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01554144 mov ecx, dword ptr fs:[00000030h]6_2_01554144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01554144 mov eax, dword ptr fs:[00000030h]6_2_01554144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01554144 mov eax, dword ptr fs:[00000030h]6_2_01554144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C6154 mov eax, dword ptr fs:[00000030h]6_2_014C6154
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C6154 mov eax, dword ptr fs:[00000030h]6_2_014C6154
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BC156 mov eax, dword ptr fs:[00000030h]6_2_014BC156
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01594164 mov eax, dword ptr fs:[00000030h]6_2_01594164
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01594164 mov eax, dword ptr fs:[00000030h]6_2_01594164
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01580115 mov eax, dword ptr fs:[00000030h]6_2_01580115
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156A118 mov ecx, dword ptr fs:[00000030h]6_2_0156A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156A118 mov eax, dword ptr fs:[00000030h]6_2_0156A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156A118 mov eax, dword ptr fs:[00000030h]6_2_0156A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156A118 mov eax, dword ptr fs:[00000030h]6_2_0156A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156E10E mov eax, dword ptr fs:[00000030h]6_2_0156E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156E10E mov ecx, dword ptr fs:[00000030h]6_2_0156E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156E10E mov eax, dword ptr fs:[00000030h]6_2_0156E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156E10E mov eax, dword ptr fs:[00000030h]6_2_0156E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156E10E mov ecx, dword ptr fs:[00000030h]6_2_0156E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156E10E mov eax, dword ptr fs:[00000030h]6_2_0156E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156E10E mov eax, dword ptr fs:[00000030h]6_2_0156E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156E10E mov ecx, dword ptr fs:[00000030h]6_2_0156E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156E10E mov eax, dword ptr fs:[00000030h]6_2_0156E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156E10E mov ecx, dword ptr fs:[00000030h]6_2_0156E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0124 mov eax, dword ptr fs:[00000030h]6_2_014F0124
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153E1D0 mov eax, dword ptr fs:[00000030h]6_2_0153E1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153E1D0 mov eax, dword ptr fs:[00000030h]6_2_0153E1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153E1D0 mov ecx, dword ptr fs:[00000030h]6_2_0153E1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153E1D0 mov eax, dword ptr fs:[00000030h]6_2_0153E1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153E1D0 mov eax, dword ptr fs:[00000030h]6_2_0153E1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015861C3 mov eax, dword ptr fs:[00000030h]6_2_015861C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015861C3 mov eax, dword ptr fs:[00000030h]6_2_015861C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F01F8 mov eax, dword ptr fs:[00000030h]6_2_014F01F8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015961E5 mov eax, dword ptr fs:[00000030h]6_2_015961E5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154019F mov eax, dword ptr fs:[00000030h]6_2_0154019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154019F mov eax, dword ptr fs:[00000030h]6_2_0154019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154019F mov eax, dword ptr fs:[00000030h]6_2_0154019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154019F mov eax, dword ptr fs:[00000030h]6_2_0154019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01500185 mov eax, dword ptr fs:[00000030h]6_2_01500185
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01564180 mov eax, dword ptr fs:[00000030h]6_2_01564180
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01564180 mov eax, dword ptr fs:[00000030h]6_2_01564180
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BA197 mov eax, dword ptr fs:[00000030h]6_2_014BA197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BA197 mov eax, dword ptr fs:[00000030h]6_2_014BA197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BA197 mov eax, dword ptr fs:[00000030h]6_2_014BA197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157C188 mov eax, dword ptr fs:[00000030h]6_2_0157C188
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157C188 mov eax, dword ptr fs:[00000030h]6_2_0157C188
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01546050 mov eax, dword ptr fs:[00000030h]6_2_01546050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C2050 mov eax, dword ptr fs:[00000030h]6_2_014C2050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EC073 mov eax, dword ptr fs:[00000030h]6_2_014EC073
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01544000 mov ecx, dword ptr fs:[00000030h]6_2_01544000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01562000 mov eax, dword ptr fs:[00000030h]6_2_01562000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01562000 mov eax, dword ptr fs:[00000030h]6_2_01562000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01562000 mov eax, dword ptr fs:[00000030h]6_2_01562000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01562000 mov eax, dword ptr fs:[00000030h]6_2_01562000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01562000 mov eax, dword ptr fs:[00000030h]6_2_01562000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01562000 mov eax, dword ptr fs:[00000030h]6_2_01562000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01562000 mov eax, dword ptr fs:[00000030h]6_2_01562000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01562000 mov eax, dword ptr fs:[00000030h]6_2_01562000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE016 mov eax, dword ptr fs:[00000030h]6_2_014DE016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE016 mov eax, dword ptr fs:[00000030h]6_2_014DE016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE016 mov eax, dword ptr fs:[00000030h]6_2_014DE016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE016 mov eax, dword ptr fs:[00000030h]6_2_014DE016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01556030 mov eax, dword ptr fs:[00000030h]6_2_01556030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BA020 mov eax, dword ptr fs:[00000030h]6_2_014BA020
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BC020 mov eax, dword ptr fs:[00000030h]6_2_014BC020
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015420DE mov eax, dword ptr fs:[00000030h]6_2_015420DE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015020F0 mov ecx, dword ptr fs:[00000030h]6_2_015020F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C80E9 mov eax, dword ptr fs:[00000030h]6_2_014C80E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BA0E3 mov ecx, dword ptr fs:[00000030h]6_2_014BA0E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015460E0 mov eax, dword ptr fs:[00000030h]6_2_015460E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BC0F0 mov eax, dword ptr fs:[00000030h]6_2_014BC0F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C208A mov eax, dword ptr fs:[00000030h]6_2_014C208A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015860B8 mov eax, dword ptr fs:[00000030h]6_2_015860B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015860B8 mov ecx, dword ptr fs:[00000030h]6_2_015860B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B80A0 mov eax, dword ptr fs:[00000030h]6_2_014B80A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015580A8 mov eax, dword ptr fs:[00000030h]6_2_015580A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01568350 mov ecx, dword ptr fs:[00000030h]6_2_01568350
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154035C mov eax, dword ptr fs:[00000030h]6_2_0154035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154035C mov eax, dword ptr fs:[00000030h]6_2_0154035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154035C mov eax, dword ptr fs:[00000030h]6_2_0154035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154035C mov ecx, dword ptr fs:[00000030h]6_2_0154035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154035C mov eax, dword ptr fs:[00000030h]6_2_0154035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154035C mov eax, dword ptr fs:[00000030h]6_2_0154035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158A352 mov eax, dword ptr fs:[00000030h]6_2_0158A352
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0159634F mov eax, dword ptr fs:[00000030h]6_2_0159634F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01542349 mov eax, dword ptr fs:[00000030h]6_2_01542349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01542349 mov eax, dword ptr fs:[00000030h]6_2_01542349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01542349 mov eax, dword ptr fs:[00000030h]6_2_01542349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01542349 mov eax, dword ptr fs:[00000030h]6_2_01542349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01542349 mov eax, dword ptr fs:[00000030h]6_2_01542349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01542349 mov eax, dword ptr fs:[00000030h]6_2_01542349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01542349 mov eax, dword ptr fs:[00000030h]6_2_01542349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01542349 mov eax, dword ptr fs:[00000030h]6_2_01542349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01542349 mov eax, dword ptr fs:[00000030h]6_2_01542349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01542349 mov eax, dword ptr fs:[00000030h]6_2_01542349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01542349 mov eax, dword ptr fs:[00000030h]6_2_01542349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01542349 mov eax, dword ptr fs:[00000030h]6_2_01542349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01542349 mov eax, dword ptr fs:[00000030h]6_2_01542349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01542349 mov eax, dword ptr fs:[00000030h]6_2_01542349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01542349 mov eax, dword ptr fs:[00000030h]6_2_01542349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156437C mov eax, dword ptr fs:[00000030h]6_2_0156437C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FA30B mov eax, dword ptr fs:[00000030h]6_2_014FA30B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FA30B mov eax, dword ptr fs:[00000030h]6_2_014FA30B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FA30B mov eax, dword ptr fs:[00000030h]6_2_014FA30B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BC310 mov ecx, dword ptr fs:[00000030h]6_2_014BC310
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E0310 mov ecx, dword ptr fs:[00000030h]6_2_014E0310
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01598324 mov eax, dword ptr fs:[00000030h]6_2_01598324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01598324 mov ecx, dword ptr fs:[00000030h]6_2_01598324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01598324 mov eax, dword ptr fs:[00000030h]6_2_01598324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01598324 mov eax, dword ptr fs:[00000030h]6_2_01598324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015643D4 mov eax, dword ptr fs:[00000030h]6_2_015643D4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015643D4 mov eax, dword ptr fs:[00000030h]6_2_015643D4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CA3C0 mov eax, dword ptr fs:[00000030h]6_2_014CA3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CA3C0 mov eax, dword ptr fs:[00000030h]6_2_014CA3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CA3C0 mov eax, dword ptr fs:[00000030h]6_2_014CA3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CA3C0 mov eax, dword ptr fs:[00000030h]6_2_014CA3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CA3C0 mov eax, dword ptr fs:[00000030h]6_2_014CA3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CA3C0 mov eax, dword ptr fs:[00000030h]6_2_014CA3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C83C0 mov eax, dword ptr fs:[00000030h]6_2_014C83C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C83C0 mov eax, dword ptr fs:[00000030h]6_2_014C83C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C83C0 mov eax, dword ptr fs:[00000030h]6_2_014C83C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C83C0 mov eax, dword ptr fs:[00000030h]6_2_014C83C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156E3DB mov eax, dword ptr fs:[00000030h]6_2_0156E3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156E3DB mov eax, dword ptr fs:[00000030h]6_2_0156E3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156E3DB mov ecx, dword ptr fs:[00000030h]6_2_0156E3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156E3DB mov eax, dword ptr fs:[00000030h]6_2_0156E3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015463C0 mov eax, dword ptr fs:[00000030h]6_2_015463C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157C3CD mov eax, dword ptr fs:[00000030h]6_2_0157C3CD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D03E9 mov eax, dword ptr fs:[00000030h]6_2_014D03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D03E9 mov eax, dword ptr fs:[00000030h]6_2_014D03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D03E9 mov eax, dword ptr fs:[00000030h]6_2_014D03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D03E9 mov eax, dword ptr fs:[00000030h]6_2_014D03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D03E9 mov eax, dword ptr fs:[00000030h]6_2_014D03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D03E9 mov eax, dword ptr fs:[00000030h]6_2_014D03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D03E9 mov eax, dword ptr fs:[00000030h]6_2_014D03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D03E9 mov eax, dword ptr fs:[00000030h]6_2_014D03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F63FF mov eax, dword ptr fs:[00000030h]6_2_014F63FF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE3F0 mov eax, dword ptr fs:[00000030h]6_2_014DE3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE3F0 mov eax, dword ptr fs:[00000030h]6_2_014DE3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE3F0 mov eax, dword ptr fs:[00000030h]6_2_014DE3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E438F mov eax, dword ptr fs:[00000030h]6_2_014E438F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E438F mov eax, dword ptr fs:[00000030h]6_2_014E438F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BE388 mov eax, dword ptr fs:[00000030h]6_2_014BE388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BE388 mov eax, dword ptr fs:[00000030h]6_2_014BE388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BE388 mov eax, dword ptr fs:[00000030h]6_2_014BE388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B8397 mov eax, dword ptr fs:[00000030h]6_2_014B8397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B8397 mov eax, dword ptr fs:[00000030h]6_2_014B8397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B8397 mov eax, dword ptr fs:[00000030h]6_2_014B8397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0159625D mov eax, dword ptr fs:[00000030h]6_2_0159625D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157A250 mov eax, dword ptr fs:[00000030h]6_2_0157A250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157A250 mov eax, dword ptr fs:[00000030h]6_2_0157A250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C6259 mov eax, dword ptr fs:[00000030h]6_2_014C6259
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01548243 mov eax, dword ptr fs:[00000030h]6_2_01548243
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01548243 mov ecx, dword ptr fs:[00000030h]6_2_01548243
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BA250 mov eax, dword ptr fs:[00000030h]6_2_014BA250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B826B mov eax, dword ptr fs:[00000030h]6_2_014B826B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01570274 mov eax, dword ptr fs:[00000030h]6_2_01570274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01570274 mov eax, dword ptr fs:[00000030h]6_2_01570274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01570274 mov eax, dword ptr fs:[00000030h]6_2_01570274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01570274 mov eax, dword ptr fs:[00000030h]6_2_01570274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01570274 mov eax, dword ptr fs:[00000030h]6_2_01570274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01570274 mov eax, dword ptr fs:[00000030h]6_2_01570274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01570274 mov eax, dword ptr fs:[00000030h]6_2_01570274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01570274 mov eax, dword ptr fs:[00000030h]6_2_01570274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01570274 mov eax, dword ptr fs:[00000030h]6_2_01570274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01570274 mov eax, dword ptr fs:[00000030h]6_2_01570274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01570274 mov eax, dword ptr fs:[00000030h]6_2_01570274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01570274 mov eax, dword ptr fs:[00000030h]6_2_01570274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C4260 mov eax, dword ptr fs:[00000030h]6_2_014C4260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C4260 mov eax, dword ptr fs:[00000030h]6_2_014C4260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C4260 mov eax, dword ptr fs:[00000030h]6_2_014C4260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B823B mov eax, dword ptr fs:[00000030h]6_2_014B823B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CA2C3 mov eax, dword ptr fs:[00000030h]6_2_014CA2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CA2C3 mov eax, dword ptr fs:[00000030h]6_2_014CA2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CA2C3 mov eax, dword ptr fs:[00000030h]6_2_014CA2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CA2C3 mov eax, dword ptr fs:[00000030h]6_2_014CA2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CA2C3 mov eax, dword ptr fs:[00000030h]6_2_014CA2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015962D6 mov eax, dword ptr fs:[00000030h]6_2_015962D6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D02E1 mov eax, dword ptr fs:[00000030h]6_2_014D02E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D02E1 mov eax, dword ptr fs:[00000030h]6_2_014D02E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D02E1 mov eax, dword ptr fs:[00000030h]6_2_014D02E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FE284 mov eax, dword ptr fs:[00000030h]6_2_014FE284
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FE284 mov eax, dword ptr fs:[00000030h]6_2_014FE284
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01540283 mov eax, dword ptr fs:[00000030h]6_2_01540283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01540283 mov eax, dword ptr fs:[00000030h]6_2_01540283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01540283 mov eax, dword ptr fs:[00000030h]6_2_01540283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D02A0 mov eax, dword ptr fs:[00000030h]6_2_014D02A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D02A0 mov eax, dword ptr fs:[00000030h]6_2_014D02A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015562A0 mov eax, dword ptr fs:[00000030h]6_2_015562A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015562A0 mov ecx, dword ptr fs:[00000030h]6_2_015562A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015562A0 mov eax, dword ptr fs:[00000030h]6_2_015562A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015562A0 mov eax, dword ptr fs:[00000030h]6_2_015562A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015562A0 mov eax, dword ptr fs:[00000030h]6_2_015562A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015562A0 mov eax, dword ptr fs:[00000030h]6_2_015562A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C8550 mov eax, dword ptr fs:[00000030h]6_2_014C8550
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C8550 mov eax, dword ptr fs:[00000030h]6_2_014C8550
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F656A mov eax, dword ptr fs:[00000030h]6_2_014F656A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F656A mov eax, dword ptr fs:[00000030h]6_2_014F656A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F656A mov eax, dword ptr fs:[00000030h]6_2_014F656A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01556500 mov eax, dword ptr fs:[00000030h]6_2_01556500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01594500 mov eax, dword ptr fs:[00000030h]6_2_01594500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01594500 mov eax, dword ptr fs:[00000030h]6_2_01594500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01594500 mov eax, dword ptr fs:[00000030h]6_2_01594500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01594500 mov eax, dword ptr fs:[00000030h]6_2_01594500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01594500 mov eax, dword ptr fs:[00000030h]6_2_01594500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01594500 mov eax, dword ptr fs:[00000030h]6_2_01594500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01594500 mov eax, dword ptr fs:[00000030h]6_2_01594500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE53E mov eax, dword ptr fs:[00000030h]6_2_014EE53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE53E mov eax, dword ptr fs:[00000030h]6_2_014EE53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE53E mov eax, dword ptr fs:[00000030h]6_2_014EE53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE53E mov eax, dword ptr fs:[00000030h]6_2_014EE53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE53E mov eax, dword ptr fs:[00000030h]6_2_014EE53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0535 mov eax, dword ptr fs:[00000030h]6_2_014D0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0535 mov eax, dword ptr fs:[00000030h]6_2_014D0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0535 mov eax, dword ptr fs:[00000030h]6_2_014D0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0535 mov eax, dword ptr fs:[00000030h]6_2_014D0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0535 mov eax, dword ptr fs:[00000030h]6_2_014D0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0535 mov eax, dword ptr fs:[00000030h]6_2_014D0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FE5CF mov eax, dword ptr fs:[00000030h]6_2_014FE5CF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FE5CF mov eax, dword ptr fs:[00000030h]6_2_014FE5CF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C65D0 mov eax, dword ptr fs:[00000030h]6_2_014C65D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FA5D0 mov eax, dword ptr fs:[00000030h]6_2_014FA5D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FA5D0 mov eax, dword ptr fs:[00000030h]6_2_014FA5D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FC5ED mov eax, dword ptr fs:[00000030h]6_2_014FC5ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FC5ED mov eax, dword ptr fs:[00000030h]6_2_014FC5ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE5E7 mov eax, dword ptr fs:[00000030h]6_2_014EE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE5E7 mov eax, dword ptr fs:[00000030h]6_2_014EE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE5E7 mov eax, dword ptr fs:[00000030h]6_2_014EE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE5E7 mov eax, dword ptr fs:[00000030h]6_2_014EE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE5E7 mov eax, dword ptr fs:[00000030h]6_2_014EE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE5E7 mov eax, dword ptr fs:[00000030h]6_2_014EE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE5E7 mov eax, dword ptr fs:[00000030h]6_2_014EE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE5E7 mov eax, dword ptr fs:[00000030h]6_2_014EE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C25E0 mov eax, dword ptr fs:[00000030h]6_2_014C25E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F4588 mov eax, dword ptr fs:[00000030h]6_2_014F4588
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C2582 mov eax, dword ptr fs:[00000030h]6_2_014C2582
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C2582 mov ecx, dword ptr fs:[00000030h]6_2_014C2582
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FE59C mov eax, dword ptr fs:[00000030h]6_2_014FE59C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015405A7 mov eax, dword ptr fs:[00000030h]6_2_015405A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015405A7 mov eax, dword ptr fs:[00000030h]6_2_015405A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015405A7 mov eax, dword ptr fs:[00000030h]6_2_015405A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E45B1 mov eax, dword ptr fs:[00000030h]6_2_014E45B1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E45B1 mov eax, dword ptr fs:[00000030h]6_2_014E45B1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157A456 mov eax, dword ptr fs:[00000030h]6_2_0157A456
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FE443 mov eax, dword ptr fs:[00000030h]6_2_014FE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FE443 mov eax, dword ptr fs:[00000030h]6_2_014FE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FE443 mov eax, dword ptr fs:[00000030h]6_2_014FE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FE443 mov eax, dword ptr fs:[00000030h]6_2_014FE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FE443 mov eax, dword ptr fs:[00000030h]6_2_014FE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FE443 mov eax, dword ptr fs:[00000030h]6_2_014FE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FE443 mov eax, dword ptr fs:[00000030h]6_2_014FE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FE443 mov eax, dword ptr fs:[00000030h]6_2_014FE443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E245A mov eax, dword ptr fs:[00000030h]6_2_014E245A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B645D mov eax, dword ptr fs:[00000030h]6_2_014B645D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154C460 mov ecx, dword ptr fs:[00000030h]6_2_0154C460
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA470 mov eax, dword ptr fs:[00000030h]6_2_014EA470
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA470 mov eax, dword ptr fs:[00000030h]6_2_014EA470
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA470 mov eax, dword ptr fs:[00000030h]6_2_014EA470
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F8402 mov eax, dword ptr fs:[00000030h]6_2_014F8402
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F8402 mov eax, dword ptr fs:[00000030h]6_2_014F8402
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F8402 mov eax, dword ptr fs:[00000030h]6_2_014F8402
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BE420 mov eax, dword ptr fs:[00000030h]6_2_014BE420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BE420 mov eax, dword ptr fs:[00000030h]6_2_014BE420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BE420 mov eax, dword ptr fs:[00000030h]6_2_014BE420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BC427 mov eax, dword ptr fs:[00000030h]6_2_014BC427
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01546420 mov eax, dword ptr fs:[00000030h]6_2_01546420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01546420 mov eax, dword ptr fs:[00000030h]6_2_01546420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01546420 mov eax, dword ptr fs:[00000030h]6_2_01546420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01546420 mov eax, dword ptr fs:[00000030h]6_2_01546420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01546420 mov eax, dword ptr fs:[00000030h]6_2_01546420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01546420 mov eax, dword ptr fs:[00000030h]6_2_01546420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01546420 mov eax, dword ptr fs:[00000030h]6_2_01546420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C04E5 mov ecx, dword ptr fs:[00000030h]6_2_014C04E5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157A49A mov eax, dword ptr fs:[00000030h]6_2_0157A49A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154A4B0 mov eax, dword ptr fs:[00000030h]6_2_0154A4B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C64AB mov eax, dword ptr fs:[00000030h]6_2_014C64AB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F44B0 mov ecx, dword ptr fs:[00000030h]6_2_014F44B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502750 mov eax, dword ptr fs:[00000030h]6_2_01502750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502750 mov eax, dword ptr fs:[00000030h]6_2_01502750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01544755 mov eax, dword ptr fs:[00000030h]6_2_01544755
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F674D mov esi, dword ptr fs:[00000030h]6_2_014F674D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F674D mov eax, dword ptr fs:[00000030h]6_2_014F674D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F674D mov eax, dword ptr fs:[00000030h]6_2_014F674D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154E75D mov eax, dword ptr fs:[00000030h]6_2_0154E75D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0750 mov eax, dword ptr fs:[00000030h]6_2_014C0750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C8770 mov eax, dword ptr fs:[00000030h]6_2_014C8770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0770 mov eax, dword ptr fs:[00000030h]6_2_014D0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0770 mov eax, dword ptr fs:[00000030h]6_2_014D0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0770 mov eax, dword ptr fs:[00000030h]6_2_014D0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0770 mov eax, dword ptr fs:[00000030h]6_2_014D0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0770 mov eax, dword ptr fs:[00000030h]6_2_014D0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0770 mov eax, dword ptr fs:[00000030h]6_2_014D0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0770 mov eax, dword ptr fs:[00000030h]6_2_014D0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0770 mov eax, dword ptr fs:[00000030h]6_2_014D0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0770 mov eax, dword ptr fs:[00000030h]6_2_014D0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0770 mov eax, dword ptr fs:[00000030h]6_2_014D0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0770 mov eax, dword ptr fs:[00000030h]6_2_014D0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0770 mov eax, dword ptr fs:[00000030h]6_2_014D0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FC700 mov eax, dword ptr fs:[00000030h]6_2_014FC700
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0710 mov eax, dword ptr fs:[00000030h]6_2_014C0710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0710 mov eax, dword ptr fs:[00000030h]6_2_014F0710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153C730 mov eax, dword ptr fs:[00000030h]6_2_0153C730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FC720 mov eax, dword ptr fs:[00000030h]6_2_014FC720
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FC720 mov eax, dword ptr fs:[00000030h]6_2_014FC720
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F273C mov eax, dword ptr fs:[00000030h]6_2_014F273C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F273C mov ecx, dword ptr fs:[00000030h]6_2_014F273C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F273C mov eax, dword ptr fs:[00000030h]6_2_014F273C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CC7C0 mov eax, dword ptr fs:[00000030h]6_2_014CC7C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015407C3 mov eax, dword ptr fs:[00000030h]6_2_015407C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E27ED mov eax, dword ptr fs:[00000030h]6_2_014E27ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E27ED mov eax, dword ptr fs:[00000030h]6_2_014E27ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E27ED mov eax, dword ptr fs:[00000030h]6_2_014E27ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154E7E1 mov eax, dword ptr fs:[00000030h]6_2_0154E7E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C47FB mov eax, dword ptr fs:[00000030h]6_2_014C47FB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C47FB mov eax, dword ptr fs:[00000030h]6_2_014C47FB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156678E mov eax, dword ptr fs:[00000030h]6_2_0156678E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C07AF mov eax, dword ptr fs:[00000030h]6_2_014C07AF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015747A0 mov eax, dword ptr fs:[00000030h]6_2_015747A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DC640 mov eax, dword ptr fs:[00000030h]6_2_014DC640
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FA660 mov eax, dword ptr fs:[00000030h]6_2_014FA660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FA660 mov eax, dword ptr fs:[00000030h]6_2_014FA660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158866E mov eax, dword ptr fs:[00000030h]6_2_0158866E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158866E mov eax, dword ptr fs:[00000030h]6_2_0158866E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2674 mov eax, dword ptr fs:[00000030h]6_2_014F2674
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D260B mov eax, dword ptr fs:[00000030h]6_2_014D260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D260B mov eax, dword ptr fs:[00000030h]6_2_014D260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D260B mov eax, dword ptr fs:[00000030h]6_2_014D260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D260B mov eax, dword ptr fs:[00000030h]6_2_014D260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D260B mov eax, dword ptr fs:[00000030h]6_2_014D260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D260B mov eax, dword ptr fs:[00000030h]6_2_014D260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D260B mov eax, dword ptr fs:[00000030h]6_2_014D260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502619 mov eax, dword ptr fs:[00000030h]6_2_01502619
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153E609 mov eax, dword ptr fs:[00000030h]6_2_0153E609
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C262C mov eax, dword ptr fs:[00000030h]6_2_014C262C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE627 mov eax, dword ptr fs:[00000030h]6_2_014DE627
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F6620 mov eax, dword ptr fs:[00000030h]6_2_014F6620
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F8620 mov eax, dword ptr fs:[00000030h]6_2_014F8620
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FA6C7 mov ebx, dword ptr fs:[00000030h]6_2_014FA6C7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FA6C7 mov eax, dword ptr fs:[00000030h]6_2_014FA6C7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153E6F2 mov eax, dword ptr fs:[00000030h]6_2_0153E6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153E6F2 mov eax, dword ptr fs:[00000030h]6_2_0153E6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153E6F2 mov eax, dword ptr fs:[00000030h]6_2_0153E6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153E6F2 mov eax, dword ptr fs:[00000030h]6_2_0153E6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015406F1 mov eax, dword ptr fs:[00000030h]6_2_015406F1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015406F1 mov eax, dword ptr fs:[00000030h]6_2_015406F1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C4690 mov eax, dword ptr fs:[00000030h]6_2_014C4690
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C4690 mov eax, dword ptr fs:[00000030h]6_2_014C4690
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FC6A6 mov eax, dword ptr fs:[00000030h]6_2_014FC6A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F66B0 mov eax, dword ptr fs:[00000030h]6_2_014F66B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01540946 mov eax, dword ptr fs:[00000030h]6_2_01540946
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01594940 mov eax, dword ptr fs:[00000030h]6_2_01594940
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154C97C mov eax, dword ptr fs:[00000030h]6_2_0154C97C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E6962 mov eax, dword ptr fs:[00000030h]6_2_014E6962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E6962 mov eax, dword ptr fs:[00000030h]6_2_014E6962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E6962 mov eax, dword ptr fs:[00000030h]6_2_014E6962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01564978 mov eax, dword ptr fs:[00000030h]6_2_01564978
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01564978 mov eax, dword ptr fs:[00000030h]6_2_01564978
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150096E mov eax, dword ptr fs:[00000030h]6_2_0150096E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150096E mov edx, dword ptr fs:[00000030h]6_2_0150096E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150096E mov eax, dword ptr fs:[00000030h]6_2_0150096E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154C912 mov eax, dword ptr fs:[00000030h]6_2_0154C912
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B8918 mov eax, dword ptr fs:[00000030h]6_2_014B8918
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B8918 mov eax, dword ptr fs:[00000030h]6_2_014B8918
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153E908 mov eax, dword ptr fs:[00000030h]6_2_0153E908
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153E908 mov eax, dword ptr fs:[00000030h]6_2_0153E908
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154892A mov eax, dword ptr fs:[00000030h]6_2_0154892A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155892B mov eax, dword ptr fs:[00000030h]6_2_0155892B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158A9D3 mov eax, dword ptr fs:[00000030h]6_2_0158A9D3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015569C0 mov eax, dword ptr fs:[00000030h]6_2_015569C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CA9D0 mov eax, dword ptr fs:[00000030h]6_2_014CA9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CA9D0 mov eax, dword ptr fs:[00000030h]6_2_014CA9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CA9D0 mov eax, dword ptr fs:[00000030h]6_2_014CA9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CA9D0 mov eax, dword ptr fs:[00000030h]6_2_014CA9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CA9D0 mov eax, dword ptr fs:[00000030h]6_2_014CA9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CA9D0 mov eax, dword ptr fs:[00000030h]6_2_014CA9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F49D0 mov eax, dword ptr fs:[00000030h]6_2_014F49D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154E9E0 mov eax, dword ptr fs:[00000030h]6_2_0154E9E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F29F9 mov eax, dword ptr fs:[00000030h]6_2_014F29F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F29F9 mov eax, dword ptr fs:[00000030h]6_2_014F29F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C09AD mov eax, dword ptr fs:[00000030h]6_2_014C09AD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C09AD mov eax, dword ptr fs:[00000030h]6_2_014C09AD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015489B3 mov esi, dword ptr fs:[00000030h]6_2_015489B3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015489B3 mov eax, dword ptr fs:[00000030h]6_2_015489B3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015489B3 mov eax, dword ptr fs:[00000030h]6_2_015489B3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h]6_2_014D29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h]6_2_014D29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h]6_2_014D29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h]6_2_014D29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h]6_2_014D29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h]6_2_014D29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h]6_2_014D29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h]6_2_014D29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h]6_2_014D29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h]6_2_014D29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h]6_2_014D29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h]6_2_014D29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h]6_2_014D29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D2840 mov ecx, dword ptr fs:[00000030h]6_2_014D2840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C4859 mov eax, dword ptr fs:[00000030h]6_2_014C4859
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C4859 mov eax, dword ptr fs:[00000030h]6_2_014C4859
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0854 mov eax, dword ptr fs:[00000030h]6_2_014F0854
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01556870 mov eax, dword ptr fs:[00000030h]6_2_01556870
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01556870 mov eax, dword ptr fs:[00000030h]6_2_01556870
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154E872 mov eax, dword ptr fs:[00000030h]6_2_0154E872
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154E872 mov eax, dword ptr fs:[00000030h]6_2_0154E872
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154C810 mov eax, dword ptr fs:[00000030h]6_2_0154C810
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156483A mov eax, dword ptr fs:[00000030h]6_2_0156483A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156483A mov eax, dword ptr fs:[00000030h]6_2_0156483A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E2835 mov eax, dword ptr fs:[00000030h]6_2_014E2835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E2835 mov eax, dword ptr fs:[00000030h]6_2_014E2835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E2835 mov eax, dword ptr fs:[00000030h]6_2_014E2835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E2835 mov ecx, dword ptr fs:[00000030h]6_2_014E2835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E2835 mov eax, dword ptr fs:[00000030h]6_2_014E2835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E2835 mov eax, dword ptr fs:[00000030h]6_2_014E2835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FA830 mov eax, dword ptr fs:[00000030h]6_2_014FA830
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EE8C0 mov eax, dword ptr fs:[00000030h]6_2_014EE8C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015908C0 mov eax, dword ptr fs:[00000030h]6_2_015908C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FC8F9 mov eax, dword ptr fs:[00000030h]6_2_014FC8F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FC8F9 mov eax, dword ptr fs:[00000030h]6_2_014FC8F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158A8E4 mov eax, dword ptr fs:[00000030h]6_2_0158A8E4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154C89D mov eax, dword ptr fs:[00000030h]6_2_0154C89D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0887 mov eax, dword ptr fs:[00000030h]6_2_014C0887
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156EB50 mov eax, dword ptr fs:[00000030h]6_2_0156EB50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01592B57 mov eax, dword ptr fs:[00000030h]6_2_01592B57
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01592B57 mov eax, dword ptr fs:[00000030h]6_2_01592B57
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01592B57 mov eax, dword ptr fs:[00000030h]6_2_01592B57
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01592B57 mov eax, dword ptr fs:[00000030h]6_2_01592B57
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01568B42 mov eax, dword ptr fs:[00000030h]6_2_01568B42
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01556B40 mov eax, dword ptr fs:[00000030h]6_2_01556B40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01556B40 mov eax, dword ptr fs:[00000030h]6_2_01556B40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158AB40 mov eax, dword ptr fs:[00000030h]6_2_0158AB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014B8B50 mov eax, dword ptr fs:[00000030h]6_2_014B8B50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01574B4B mov eax, dword ptr fs:[00000030h]6_2_01574B4B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01574B4B mov eax, dword ptr fs:[00000030h]6_2_01574B4B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014BCB7E mov eax, dword ptr fs:[00000030h]6_2_014BCB7E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153EB1D mov eax, dword ptr fs:[00000030h]6_2_0153EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153EB1D mov eax, dword ptr fs:[00000030h]6_2_0153EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153EB1D mov eax, dword ptr fs:[00000030h]6_2_0153EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153EB1D mov eax, dword ptr fs:[00000030h]6_2_0153EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153EB1D mov eax, dword ptr fs:[00000030h]6_2_0153EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153EB1D mov eax, dword ptr fs:[00000030h]6_2_0153EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153EB1D mov eax, dword ptr fs:[00000030h]6_2_0153EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153EB1D mov eax, dword ptr fs:[00000030h]6_2_0153EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153EB1D mov eax, dword ptr fs:[00000030h]6_2_0153EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01594B00 mov eax, dword ptr fs:[00000030h]6_2_01594B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EEB20 mov eax, dword ptr fs:[00000030h]6_2_014EEB20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EEB20 mov eax, dword ptr fs:[00000030h]6_2_014EEB20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01588B28 mov eax, dword ptr fs:[00000030h]6_2_01588B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01588B28 mov eax, dword ptr fs:[00000030h]6_2_01588B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0BCD mov eax, dword ptr fs:[00000030h]6_2_014C0BCD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0BCD mov eax, dword ptr fs:[00000030h]6_2_014C0BCD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0BCD mov eax, dword ptr fs:[00000030h]6_2_014C0BCD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E0BCB mov eax, dword ptr fs:[00000030h]6_2_014E0BCB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E0BCB mov eax, dword ptr fs:[00000030h]6_2_014E0BCB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E0BCB mov eax, dword ptr fs:[00000030h]6_2_014E0BCB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156EBD0 mov eax, dword ptr fs:[00000030h]6_2_0156EBD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154CBF0 mov eax, dword ptr fs:[00000030h]6_2_0154CBF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EEBFC mov eax, dword ptr fs:[00000030h]6_2_014EEBFC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C8BF0 mov eax, dword ptr fs:[00000030h]6_2_014C8BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C8BF0 mov eax, dword ptr fs:[00000030h]6_2_014C8BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C8BF0 mov eax, dword ptr fs:[00000030h]6_2_014C8BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01574BB0 mov eax, dword ptr fs:[00000030h]6_2_01574BB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01574BB0 mov eax, dword ptr fs:[00000030h]6_2_01574BB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0BBE mov eax, dword ptr fs:[00000030h]6_2_014D0BBE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0BBE mov eax, dword ptr fs:[00000030h]6_2_014D0BBE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0A5B mov eax, dword ptr fs:[00000030h]6_2_014D0A5B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D0A5B mov eax, dword ptr fs:[00000030h]6_2_014D0A5B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C6A50 mov eax, dword ptr fs:[00000030h]6_2_014C6A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C6A50 mov eax, dword ptr fs:[00000030h]6_2_014C6A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C6A50 mov eax, dword ptr fs:[00000030h]6_2_014C6A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C6A50 mov eax, dword ptr fs:[00000030h]6_2_014C6A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C6A50 mov eax, dword ptr fs:[00000030h]6_2_014C6A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C6A50 mov eax, dword ptr fs:[00000030h]6_2_014C6A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C6A50 mov eax, dword ptr fs:[00000030h]6_2_014C6A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FCA6F mov eax, dword ptr fs:[00000030h]6_2_014FCA6F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FCA6F mov eax, dword ptr fs:[00000030h]6_2_014FCA6F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FCA6F mov eax, dword ptr fs:[00000030h]6_2_014FCA6F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153CA72 mov eax, dword ptr fs:[00000030h]6_2_0153CA72
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153CA72 mov eax, dword ptr fs:[00000030h]6_2_0153CA72
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156EA60 mov eax, dword ptr fs:[00000030h]6_2_0156EA60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0154CA11 mov eax, dword ptr fs:[00000030h]6_2_0154CA11
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EEA2E mov eax, dword ptr fs:[00000030h]6_2_014EEA2E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FCA24 mov eax, dword ptr fs:[00000030h]6_2_014FCA24
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E4A35 mov eax, dword ptr fs:[00000030h]6_2_014E4A35
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E4A35 mov eax, dword ptr fs:[00000030h]6_2_014E4A35
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014C0AD0 mov eax, dword ptr fs:[00000030h]6_2_014C0AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01516ACC mov eax, dword ptr fs:[00000030h]6_2_01516ACC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01516ACC mov eax, dword ptr fs:[00000030h]6_2_01516ACC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01516ACC mov eax, dword ptr fs:[00000030h]6_2_01516ACC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F4AD0 mov eax, dword ptr fs:[00000030h]6_2_014F4AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F4AD0 mov eax, dword ptr fs:[00000030h]6_2_014F4AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FAAEE mov eax, dword ptr fs:[00000030h]6_2_014FAAEE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FAAEE mov eax, dword ptr fs:[00000030h]6_2_014FAAEE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CEA80 mov eax, dword ptr fs:[00000030h]6_2_014CEA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CEA80 mov eax, dword ptr fs:[00000030h]6_2_014CEA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CEA80 mov eax, dword ptr fs:[00000030h]6_2_014CEA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CEA80 mov eax, dword ptr fs:[00000030h]6_2_014CEA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014CEA80 mov eax, dword ptr fs:[00000030h]6_2_014CEA80
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe"
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe"Jump to behavior
          Allocates memory in foreign processes
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeNtClose: Indirect: 0x180A56C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeNtQueueApcThread: Indirect: 0x180A4F2Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeNtClose: Indirect: 0x17BA56C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeNtQueueApcThread: Indirect: 0x17BA4F2Jump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 2580Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 2580Jump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeThread register set: target process: 2580
          Queues an APC in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\mstsc.exe base address: 8F0000Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: 270000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C8D008Jump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B2A008Jump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe"Jump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp69A7.tmp"Jump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp77D0.tmp"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: explorer.exe, 00000007.00000002.4143182866.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4144949157.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000007.00000002.4143182866.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1717518008.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000007.00000002.4142527749.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1716988722.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
          Source: explorer.exe, 00000007.00000002.4143182866.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1717518008.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000007.00000002.4143182866.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1717518008.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Users\user\Desktop\faktura proforma pdf.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeQueries volume information: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\faktura proforma pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.xmAdkuQjxrS.exe.41fb088.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.xmAdkuQjxrS.exe.41fb088.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Scheduled Task/Job          		1
          Scheduled Task/Job          		712
          Process Injection          		1
          Masquerading          		OS Credential Dumping321
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Shared Modules          		1
          DLL Side-Loading          		1
          Scheduled Task/Job          		11
          Disable or Modify Tools          		LSASS Memory2
          Process Discovery          		Remote Desktop ProtocolData from Removable Media1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          Abuse Elevation Control Mechanism          		41
          Virtualization/Sandbox Evasion          		Security Account Manager41
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          DLL Side-Loading          		712
          Process Injection          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture11
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          File and Directory Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Abuse Elevation Control Mechanism          		Cached Domain Credentials212
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
          Obfuscated Files or Information          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
          Software Packing          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          DLL Side-Loading          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1540850 Sample: faktura proforma pdf.exe Startdate: 24/10/2024 Architecture: WINDOWS Score: 100 55 www.isax.xyz 2->55 57 www.haad.xyz 2->57 59 9 other IPs or domains 2->59 73 Suricata IDS alerts for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 81 12 other signatures 2->81 11 faktura proforma pdf.exe 7 2->11         started        15 xmAdkuQjxrS.exe 5 2->15         started        signatures3 79 Performs DNS queries to domains with low reputation 57->79 process4 file5 47 C:\Users\user\AppData\...\xmAdkuQjxrS.exe, PE32 11->47 dropped 49 C:\Users\...\xmAdkuQjxrS.exe:Zone.Identifier, ASCII 11->49 dropped 51 C:\Users\user\AppData\Local\...\tmp69A7.tmp, XML 11->51 dropped 53 C:\Users\...\faktura proforma pdf.exe.log, ASCII 11->53 dropped 91 Writes to foreign memory regions 11->91 93 Allocates memory in foreign processes 11->93 95 Adds a directory exclusion to Windows Defender 11->95 17 RegSvcs.exe 11->17         started        20 powershell.exe 23 11->20         started        22 schtasks.exe 1 11->22         started        97 Multi AV Scanner detection for dropped file 15->97 99 Machine Learning detection for dropped file 15->99 101 Injects a PE file into a foreign processes 15->101 24 RegSvcs.exe 15->24         started        26 schtasks.exe 1 15->26         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 17->61 63 Maps a DLL or memory area into another process 17->63 65 Sample uses process hollowing technique 17->65 71 2 other signatures 17->71 28 explorer.exe 57 1 17->28 injected 67 Loading BitLocker PowerShell Module 20->67 30 WmiPrvSE.exe 20->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        69 Found direct / indirect Syscall (likely to bypass EDR) 24->69 36 conhost.exe 26->36         started        process9 process10 38 mstsc.exe 28->38         started        41 raserver.exe 28->41         started        signatures11 83 Modifies the context of a thread in another process (thread injection) 38->83 85 Maps a DLL or memory area into another process 38->85 87 Tries to detect virtualization through RDTSC time measurements 38->87 89 Switches to a custom stack to bypass stack traces 38->89 43 cmd.exe 38->43         started        process12 process13 45 conhost.exe 43->45         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          faktura proforma pdf.exe34%ReversingLabsWin32.Trojan.Sonbokli
          faktura proforma pdf.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe34%ReversingLabsWin32.Trojan.Sonbokli

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://aka.ms/odirmr0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
          https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
          http://www.fontbureau.com/designers0%URL Reputationsafe
          https://excel.office.com0%URL Reputationsafe
          https://simpleflying.com/how-do-you-become-an-air-traffic-controller/0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg0%URL Reputationsafe
          https://wns.windows.com/L0%URL Reputationsafe
          https://word.office.com0%URL Reputationsafe
          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu0%URL Reputationsafe
          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu0%URL Reputationsafe
          http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark0%URL Reputationsafe
          https://www.rd.com/list/polite-habits-campers-dislike/0%URL Reputationsafe
          https://android.notify.windows.com/iOS0%URL Reputationsafe
          https://outlook.com_0%URL Reputationsafe
          https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe0%URL Reputationsafe
          http://www.fontbureau.com/designersG0%URL Reputationsafe
          http://www.fontbureau.com/designers/?0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.fontbureau.com/designers?0%URL Reputationsafe
          https://powerpoint.office.comcember0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          https://api.msn.com/q0%URL Reputationsafe
          https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc0%URL Reputationsafe
          http://www.fonts.com0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.haad.xyz
          		13.248.252.114
          		truetrue
            		unknown
            www.isax.xyz
            		unknown
            		unknowntrue
              		unknown
              www.nline-shopping-56055.bond
              		unknown
              		unknowntrue
                		unknown
                www.omaininformaniacion.fun
                		unknown
                		unknowntrue
                  		unknown
                  www.rrivalgetaways.info
                  		unknown
                  		unknowntrue
                    		unknown
                    www.asposted.online
                    		unknown
                    		unknowntrue
                      		unknown
                      www.hopbestdeals.online
                      		unknown
                      		unknowntrue
                        		unknown
                        www.hilohcreekpemf.online
                        		unknown
                        		unknowntrue
                          		unknown
                          www.indow-replacement-46487.bond
                          		unknown
                          		unknowntrue
                            		unknown
                            www.hetinkerfoundation.net
                            		unknown
                            		unknowntrue
                              		unknown
                              www.ixaahx.shop
                              		unknown
                              		unknowntrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                www.asposted.online/gy15/true
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://www.oftware-download-44761.bondexplorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://aka.ms/odirmrexplorer.exe, 00000007.00000002.4145487064.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.hetinkerfoundation.net/gy15/explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://www.nline-shopping-56055.bondReferer:explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.nline-shopping-56055.bondexplorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.hetinkerfoundation.net/gy15/www.nline-shopping-56055.bondexplorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://www.omaininformaniacion.fun/gy15/www.hetinkerfoundation.netexplorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4149087756.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111719104.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.nline-shopping-56055.bond/gy15/www.rrivalgetaways.infoexplorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://www.ixaahx.shop/gy15/explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://www.fontbureau.com/designersfaktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://excel.office.comexplorer.exe, 00000007.00000000.1733763393.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154353746.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.hetinkerfoundation.netexplorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://www.sajatypeworks.comfaktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.founder.com.cn/cn/cThefaktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000007.00000002.4145487064.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.galapagosdesign.com/DPleasefaktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000007.00000002.4154353746.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1733763393.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.urwpp.deDPleasefaktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.zhongyicts.com.cnfaktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.hopbestdeals.online/gy15/explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefaktura proforma pdf.exe, 00000000.00000002.1736105667.0000000002F5A000.00000004.00000800.00020000.00000000.sdmp, xmAdkuQjxrS.exe, 00000009.00000002.1772272518.00000000029C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.orthfitness.netexplorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://www.omaininformaniacion.funReferer:explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://www.hopbestdeals.online/gy15/www.hqaiop.xyzexplorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://www.omaininformaniacion.fun/gy15/explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000007.00000003.3108552283.000000000C9AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1733763393.000000000C964000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://wns.windows.com/Lexplorer.exe, 00000007.00000000.1733763393.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://word.office.comexplorer.exe, 00000007.00000000.1733763393.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154353746.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.haad.xyz/gy15/explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://www.rrivalgetaways.info/gy15/explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000007.00000002.4145487064.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.indow-replacement-46487.bondReferer:explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.hilohcreekpemf.online/gy15/www.indow-replacement-46487.bondexplorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://www.asposted.online/gy15/www.ixaahx.shopexplorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://www.carterandcone.comlfaktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.fontbureau.com/designers/frere-user.htmlfaktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://android.notify.windows.com/iOSexplorer.exe, 00000007.00000000.1733763393.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154353746.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.ixaahx.shopReferer:explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://www.hilohcreekpemf.onlineReferer:explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://www.indow-replacement-46487.bondexplorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000007.00000002.4145487064.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://www.hilohcreekpemf.online/gy15/explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://www.0372.photoReferer:explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://outlook.com_explorer.exe, 00000007.00000000.1733763393.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154353746.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.rogramdokpirdarmowy.today/gy15/explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://www.isax.xyzexplorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://www.fontbureau.com/designersGfaktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://www.ixaahx.shopexplorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://www.rrivalgetaways.infoReferer:explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://www.fontbureau.com/designers/?faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://www.founder.com.cn/cn/bThefaktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://www.hqaiop.xyz/gy15/explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://www.oftware-download-44761.bond/gy15/explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://www.ixaahx.shop/gy15/www.haad.xyzexplorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://www.omaininformaniacion.funexplorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://www.fontbureau.com/designers?faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000007.00000000.1720478261.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://powerpoint.office.comcemberexplorer.exe, 00000007.00000000.1733763393.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154353746.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://www.isax.xyz/gy15/explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://www.tiro.comfaktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://www.indow-replacement-46487.bond/gy15/www.isax.xyzexplorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://www.rogramdokpirdarmowy.todayexplorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://www.goodfont.co.krfaktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://schemas.microexplorer.exe, 00000007.00000002.4147185768.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4147904937.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1727350481.0000000009B60000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://www.rogramdokpirdarmowy.todayReferer:explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://www.hopbestdeals.onlineexplorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            http://www.orthfitness.net/gy15/explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              http://www.asposted.onlineReferer:explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://www.typography.netDfaktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://www.galapagosdesign.com/staff/dennis.htmfaktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://www.haad.xyzReferer:explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  http://www.hqaiop.xyzexplorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    http://www.hetinkerfoundation.netReferer:explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://www.0372.photo/gy15/explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          https://api.msn.com/qexplorer.exe, 00000007.00000002.4149087756.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111719104.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          http://www.haad.xyzexplorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://www.orthfitness.netReferer:explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              http://www.oftware-download-44761.bond/gy15/www.0372.photoexplorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                http://www.fonts.comfaktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                http://www.sandoll.co.krfaktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown

                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                No contacted IP infos

                                                                                                                                                General Information

                                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                Analysis ID:1540850
                                                                                                                                                Start date and time:2024-10-24 09:02:05 +02:00
                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                Overall analysis duration:0h 11m 56s
                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                Report type:full
                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                Number of analysed new started processes analysed:19
                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                Number of injected processes analysed:1
                                                                                                                                                Technologies:
                                                                                                                                                • HCA enabled
                                                                                                                                                • EGA enabled
                                                                                                                                                • AMSI enabled
                                                                                                                                                Analysis Mode:default
                                                                                                                                                Sample name:faktura proforma pdf.exe
                                                                                                                                                Detection:MAL
                                                                                                                                                Classification:mal100.troj.evad.winEXE@23/11@11/0
                                                                                                                                                EGA Information:
                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                HCA Information:
                                                                                                                                                • Successful, ratio: 99%
                                                                                                                                                • Number of executed functions: 130
                                                                                                                                                • Number of non-executed functions: 294
                                                                                                                                                Cookbook Comments:
                                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                Warnings

                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                • VT rate limit hit for: faktura proforma pdf.exe

                                                                                                                                                Simulations

                                                                                                                                                Behavior and APIs

                                                                                                                                                TimeTypeDescription
                                                                                                                                                03:02:58API Interceptor1x Sleep call for process: faktura proforma pdf.exe modified
                                                                                                                                                03:03:00API Interceptor15x Sleep call for process: powershell.exe modified
                                                                                                                                                03:03:03API Interceptor1x Sleep call for process: xmAdkuQjxrS.exe modified
                                                                                                                                                03:03:33API Interceptor8399469x Sleep call for process: explorer.exe modified
                                                                                                                                                03:03:44API Interceptor7419592x Sleep call for process: mstsc.exe modified
                                                                                                                                                08:03:02Task SchedulerRun new task: xmAdkuQjxrS path: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe

                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                IPs

                                                                                                                                                No context

                                                                                                                                                Domains

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                www.haad.xyzz1Ordendecompra10072OC9957pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                • 13.248.252.114
                                                                                                                                                nowe zam#U00f3wienie zakupu pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                • 13.248.252.114
                                                                                                                                                z19novaordemdecomprapdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                • 13.248.252.114

                                                                                                                                                ASNs

                                                                                                                                                No context

                                                                                                                                                JA3 Fingerprints

                                                                                                                                                No context

                                                                                                                                                Dropped Files

                                                                                                                                                No context

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\faktura proforma pdf.exe.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\faktura proforma pdf.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1216
                                                                                                                                                Entropy (8bit):5.34331486778365
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xmAdkuQjxrS.exe.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1216
                                                                                                                                                Entropy (8bit):5.34331486778365
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2232
                                                                                                                                                Entropy (8bit):5.381224508783406
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:lylWSU4xymI4RW9oUP7gZ9tK8NPZHUk7u1iMuge//Z8vUyus:lGLHxvII5LZ2KRHzOuggs
                                                                                                                                                MD5:0AF3653FFDD276E8643A0D6B3D1D4DC8
                                                                                                                                                SHA1:CF99710B30EE2C42DBB1EEBD679293C6249BE447
                                                                                                                                                SHA-256:9F97A1FEE5C0ED12A1B30819CEFBE4B364E094467ED29717B249CBA6EBAA054E
                                                                                                                                                SHA-512:E471031233725A41495836DF3D88C8F96ADF227EFE843D3124B639A68C2251945928BA81CC9F97A36A523CF2CD2AC63C467987BD1D4218C53DAC8A731F000975
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ffchl01w.ke3.psm1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k33xudv0.ntn.ps1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_latqaomn.zgx.psm1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pblrq2yk.y5a.ps1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\tmp69A7.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\faktura proforma pdf.exe
                                                                                                                                                File Type:XML 1.0 document, ASCII text
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1577
                                                                                                                                                Entropy (8bit):5.113390046403177
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtakWxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTWv
                                                                                                                                                MD5:CA5874E9E7CE47BEF38FB744156FA766
                                                                                                                                                SHA1:D6534F346BC82318C5D51ABB9596783BC5E833EC
                                                                                                                                                SHA-256:AEA3AC415EFC794548D4E44035B3C5899D03620483517CE9986C337264E73376
                                                                                                                                                SHA-512:1D892458C295ED6797583F0DAFB5460F9F44A7239361FEFEE3A3679B7E3A2C7E72F4AEE573F9F4A6D405C02F67B96B05AA38AD6E1B6147EBF49BAC29F1FA2847
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                                                                C:\Users\user\AppData\Local\Temp\tmp77D0.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe
                                                                                                                                                File Type:XML 1.0 document, ASCII text
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1577
                                                                                                                                                Entropy (8bit):5.113390046403177
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtakWxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTWv
                                                                                                                                                MD5:CA5874E9E7CE47BEF38FB744156FA766
                                                                                                                                                SHA1:D6534F346BC82318C5D51ABB9596783BC5E833EC
                                                                                                                                                SHA-256:AEA3AC415EFC794548D4E44035B3C5899D03620483517CE9986C337264E73376
                                                                                                                                                SHA-512:1D892458C295ED6797583F0DAFB5460F9F44A7239361FEFEE3A3679B7E3A2C7E72F4AEE573F9F4A6D405C02F67B96B05AA38AD6E1B6147EBF49BAC29F1FA2847
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                                                                C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\faktura proforma pdf.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):626688
                                                                                                                                                Entropy (8bit):7.970940888352899
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:lCfia8t/w3ENiFovuGAS1WDv8mMrIJTxzDYKTX+grvLU2PI5WytkT7:lYibt/w3ESwXAS1U8brIJdXJugDYMI5C
                                                                                                                                                MD5:A2769BA56F8B84DE34DEEE154F4BFBA2
                                                                                                                                                SHA1:01771E5DF223FAC2315E8AB9BA72234A1A41F0BA
                                                                                                                                                SHA-256:9F7DA651412232824C868086DD48A7D63AF0DBB007CEF4DB8C24EDDA9B2FCDBB
                                                                                                                                                SHA-512:57AE3E2B4C4B47A6662C6FF8E91D95D0C807CF6A25757C9F6E4CB4F2F377746AC468CDAA1BD298679A6D70BC4DD91EF3F78444F8D7B9CDFCFDF71D3A428F2752
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 34%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b..g..............0.................. ........@.. ....................................@.................................@...O.......x............................................................................ ............... ..H............text....~... ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B................t.......H........C...>......W.......@............................................0..D........r...p}.....r...p}.....r...p}.....r...p}.....r...p}.....(.....(....*.0............}......{....o....}......{....o....}.....{....o.....{....(....o.....{....o....(....:.....{....o....(....:.....{....o.....{....o....?.....{.....{....o....,v..+V.{......{....o....o.....{....( ...,..{......{....o....o!....{....("...o......}......X...{....o.....{....o....Y.X2..{....*".(....&*...0...........{....,h.{..

                                                                                                                                                C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe:Zone.Identifier

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\faktura proforma pdf.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):26
                                                                                                                                                Entropy (8bit):3.95006375643621
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                Entropy (8bit):7.970940888352899
                                                                                                                                                TrID:
                                                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                File name:faktura proforma pdf.exe
                                                                                                                                                File size:626'688 bytes
                                                                                                                                                MD5:a2769ba56f8b84de34deee154f4bfba2
                                                                                                                                                SHA1:01771e5df223fac2315e8ab9ba72234a1a41f0ba
                                                                                                                                                SHA256:9f7da651412232824c868086dd48a7d63af0dbb007cef4db8c24edda9b2fcdbb
                                                                                                                                                SHA512:57ae3e2b4c4b47a6662c6ff8e91d95d0c807cf6a25757c9f6e4cb4f2f377746ac468cdaa1bd298679a6d70bc4dd91ef3f78444f8d7b9cdfcfdf71d3a428f2752
                                                                                                                                                SSDEEP:12288:lCfia8t/w3ENiFovuGAS1WDv8mMrIJTxzDYKTX+grvLU2PI5WytkT7:lYibt/w3ESwXAS1U8brIJdXJugDYMI5C
                                                                                                                                                TLSH:1FD42332BA6CD937D69E05B508B7C57A02FD4442746BF7C94EDA62FB0AE4F029508B13
                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b..g..............0.................. ........@.. ....................................@................................

                                                                                                                                                File Icon

                                                                                                                                                Icon Hash:012c6c0000210045

                                                                                                                                                Static PE Info

                                                                                                                                                General

                                                                                                                                                Entrypoint:0x499e92
                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                Digitally signed:false
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                Subsystem:windows gui
                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                Time Stamp:0x6719BC62 [Thu Oct 24 03:17:54 2024 UTC]
                                                                                                                                                TLS Callbacks:
                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                OS Version Major:4
                                                                                                                                                OS Version Minor:0
                                                                                                                                                File Version Major:4
                                                                                                                                                File Version Minor:0
                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                Entrypoint Preview

                                                                                                                                                Instruction
                                                                                                                                                jmp dword ptr [00402000h]
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al

                                                                                                                                                Data Directories

                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x99e400x4f.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x9a0000xb78.rsrc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x9c0000xc.reloc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                Sections

                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                .text0x20000x97e980x9800072d294489d57301e15d61a6efe7ec826False0.9723109195106908data7.97774115801193IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                .rsrc0x9a0000xb780xc000452b14312e9144a38a912ef97cf534fFalse0.4957682291666667data5.602403807876697IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                .reloc0x9c0000xc0x200370587f763df196bcb267b2160876a14False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                Resources

                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                RT_ICON0x9a0c80x78cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.5786749482401656
                                                                                                                                                RT_GROUP_ICON0x9a8640x14data1.05
                                                                                                                                                RT_VERSION0x9a8880x2ecdata0.43716577540106955

                                                                                                                                                Imports

                                                                                                                                                DLLImport
                                                                                                                                                mscoree.dll_CorExeMain

                                                                                                                                                Network Behavior

                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                2024-10-24T09:06:01.145442+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.45000713.248.252.11480TCP
                                                                                                                                                2024-10-24T09:06:01.145442+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.45000713.248.252.11480TCP
                                                                                                                                                2024-10-24T09:06:01.145442+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.45000713.248.252.11480TCP

                                                                                                                                                Network Port Distribution

                                                                                                                                                UDP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Oct 24, 2024 09:03:38.158268929 CEST5745953192.168.2.41.1.1.1
                                                                                                                                                Oct 24, 2024 09:03:38.170111895 CEST53574591.1.1.1192.168.2.4
                                                                                                                                                Oct 24, 2024 09:03:57.908099890 CEST4983253192.168.2.41.1.1.1
                                                                                                                                                Oct 24, 2024 09:03:57.917058945 CEST53498321.1.1.1192.168.2.4
                                                                                                                                                Oct 24, 2024 09:04:18.440237045 CEST5552353192.168.2.41.1.1.1
                                                                                                                                                Oct 24, 2024 09:04:18.451093912 CEST53555231.1.1.1192.168.2.4
                                                                                                                                                Oct 24, 2024 09:04:38.798460960 CEST6235753192.168.2.41.1.1.1
                                                                                                                                                Oct 24, 2024 09:04:38.807703018 CEST53623571.1.1.1192.168.2.4
                                                                                                                                                Oct 24, 2024 09:05:19.626773119 CEST5373553192.168.2.41.1.1.1
                                                                                                                                                Oct 24, 2024 09:05:19.636524916 CEST53537351.1.1.1192.168.2.4
                                                                                                                                                Oct 24, 2024 09:05:40.053159952 CEST5550253192.168.2.41.1.1.1
                                                                                                                                                Oct 24, 2024 09:05:40.064486027 CEST53555021.1.1.1192.168.2.4
                                                                                                                                                Oct 24, 2024 09:06:00.410644054 CEST5484553192.168.2.41.1.1.1
                                                                                                                                                Oct 24, 2024 09:06:00.626033068 CEST53548451.1.1.1192.168.2.4
                                                                                                                                                Oct 24, 2024 09:06:20.814277887 CEST6140353192.168.2.41.1.1.1
                                                                                                                                                Oct 24, 2024 09:06:20.824453115 CEST53614031.1.1.1192.168.2.4
                                                                                                                                                Oct 24, 2024 09:06:41.242880106 CEST5870153192.168.2.41.1.1.1
                                                                                                                                                Oct 24, 2024 09:06:41.252762079 CEST53587011.1.1.1192.168.2.4
                                                                                                                                                Oct 24, 2024 09:07:02.050328016 CEST6485253192.168.2.41.1.1.1
                                                                                                                                                Oct 24, 2024 09:07:02.059835911 CEST53648521.1.1.1192.168.2.4
                                                                                                                                                Oct 24, 2024 09:07:22.861202002 CEST5995653192.168.2.41.1.1.1
                                                                                                                                                Oct 24, 2024 09:07:22.879239082 CEST53599561.1.1.1192.168.2.4

                                                                                                                                                DNS Queries

                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                Oct 24, 2024 09:03:38.158268929 CEST192.168.2.41.1.1.10xbe39Standard query (0)www.hilohcreekpemf.onlineA (IP address)IN (0x0001)false
                                                                                                                                                Oct 24, 2024 09:03:57.908099890 CEST192.168.2.41.1.1.10x3af4Standard query (0)www.indow-replacement-46487.bondA (IP address)IN (0x0001)false
                                                                                                                                                Oct 24, 2024 09:04:18.440237045 CEST192.168.2.41.1.1.10x700fStandard query (0)www.isax.xyzA (IP address)IN (0x0001)false
                                                                                                                                                Oct 24, 2024 09:04:38.798460960 CEST192.168.2.41.1.1.10xa835Standard query (0)www.hopbestdeals.onlineA (IP address)IN (0x0001)false
                                                                                                                                                Oct 24, 2024 09:05:19.626773119 CEST192.168.2.41.1.1.10x63cdStandard query (0)www.asposted.onlineA (IP address)IN (0x0001)false
                                                                                                                                                Oct 24, 2024 09:05:40.053159952 CEST192.168.2.41.1.1.10x5ffbStandard query (0)www.ixaahx.shopA (IP address)IN (0x0001)false
                                                                                                                                                Oct 24, 2024 09:06:00.410644054 CEST192.168.2.41.1.1.10x791Standard query (0)www.haad.xyzA (IP address)IN (0x0001)false
                                                                                                                                                Oct 24, 2024 09:06:20.814277887 CEST192.168.2.41.1.1.10x5c41Standard query (0)www.omaininformaniacion.funA (IP address)IN (0x0001)false
                                                                                                                                                Oct 24, 2024 09:06:41.242880106 CEST192.168.2.41.1.1.10xb02eStandard query (0)www.hetinkerfoundation.netA (IP address)IN (0x0001)false
                                                                                                                                                Oct 24, 2024 09:07:02.050328016 CEST192.168.2.41.1.1.10xc469Standard query (0)www.nline-shopping-56055.bondA (IP address)IN (0x0001)false
                                                                                                                                                Oct 24, 2024 09:07:22.861202002 CEST192.168.2.41.1.1.10x5708Standard query (0)www.rrivalgetaways.infoA (IP address)IN (0x0001)false

                                                                                                                                                DNS Answers

                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                Oct 24, 2024 09:03:38.170111895 CEST1.1.1.1192.168.2.40xbe39Name error (3)www.hilohcreekpemf.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Oct 24, 2024 09:03:57.917058945 CEST1.1.1.1192.168.2.40x3af4Name error (3)www.indow-replacement-46487.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Oct 24, 2024 09:04:18.451093912 CEST1.1.1.1192.168.2.40x700fName error (3)www.isax.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Oct 24, 2024 09:04:38.807703018 CEST1.1.1.1192.168.2.40xa835Name error (3)www.hopbestdeals.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Oct 24, 2024 09:05:19.636524916 CEST1.1.1.1192.168.2.40x63cdName error (3)www.asposted.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Oct 24, 2024 09:05:40.064486027 CEST1.1.1.1192.168.2.40x5ffbName error (3)www.ixaahx.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Oct 24, 2024 09:06:00.626033068 CEST1.1.1.1192.168.2.40x791No error (0)www.haad.xyz13.248.252.114A (IP address)IN (0x0001)false
                                                                                                                                                Oct 24, 2024 09:06:00.626033068 CEST1.1.1.1192.168.2.40x791No error (0)www.haad.xyz99.83.138.213A (IP address)IN (0x0001)false
                                                                                                                                                Oct 24, 2024 09:06:20.824453115 CEST1.1.1.1192.168.2.40x5c41Name error (3)www.omaininformaniacion.funnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Oct 24, 2024 09:06:41.252762079 CEST1.1.1.1192.168.2.40xb02eName error (3)www.hetinkerfoundation.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Oct 24, 2024 09:07:02.059835911 CEST1.1.1.1192.168.2.40xc469Name error (3)www.nline-shopping-56055.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Oct 24, 2024 09:07:22.879239082 CEST1.1.1.1192.168.2.40x5708Name error (3)www.rrivalgetaways.infononenoneA (IP address)IN (0x0001)false

                                                                                                                                                Statistics

                                                                                                                                                CPU Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                Memory Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                Behavior

                                                                                                                                                Click to jump to process

                                                                                                                                                System Behavior

                                                                                                                                                General

                                                                                                                                                Target ID:0
                                                                                                                                                Start time:03:02:57
                                                                                                                                                Start date:24/10/2024
                                                                                                                                                Path:C:\Users\user\Desktop\faktura proforma pdf.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\Desktop\faktura proforma pdf.exe"
                                                                                                                                                Imagebase:0x7d0000
                                                                                                                                                File size:626'688 bytes
                                                                                                                                                MD5 hash:A2769BA56F8B84DE34DEEE154F4BFBA2
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:2
                                                                                                                                                Start time:03:02:59
                                                                                                                                                Start date:24/10/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe"
                                                                                                                                                Imagebase:0xc40000
                                                                                                                                                File size:433'152 bytes
                                                                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:3
                                                                                                                                                Start time:03:02:59
                                                                                                                                                Start date:24/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:4
                                                                                                                                                Start time:03:02:59
                                                                                                                                                Start date:24/10/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp69A7.tmp"
                                                                                                                                                Imagebase:0x610000
                                                                                                                                                File size:187'904 bytes
                                                                                                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:5
                                                                                                                                                Start time:03:02:59
                                                                                                                                                Start date:24/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:6
                                                                                                                                                Start time:03:03:00
                                                                                                                                                Start date:24/10/2024
                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                                                                Imagebase:0xa90000
                                                                                                                                                File size:45'984 bytes
                                                                                                                                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:7
                                                                                                                                                Start time:03:03:00
                                                                                                                                                Start date:24/10/2024
                                                                                                                                                Path:C:\Windows\explorer.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                Imagebase:0x7ff72b770000
                                                                                                                                                File size:5'141'208 bytes
                                                                                                                                                MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000007.00000002.4157647117.000000000FCC4000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:8
                                                                                                                                                Start time:03:03:01
                                                                                                                                                Start date:24/10/2024
                                                                                                                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                Imagebase:0x940000
                                                                                                                                                File size:496'640 bytes
                                                                                                                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:9
                                                                                                                                                Start time:03:03:02
                                                                                                                                                Start date:24/10/2024
                                                                                                                                                Path:C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe
                                                                                                                                                Imagebase:0x2d0000
                                                                                                                                                File size:626'688 bytes
                                                                                                                                                MD5 hash:A2769BA56F8B84DE34DEEE154F4BFBA2
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                Antivirus matches:
                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                • Detection: 34%, ReversingLabs
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:10
                                                                                                                                                Start time:03:03:03
                                                                                                                                                Start date:24/10/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp77D0.tmp"
                                                                                                                                                Imagebase:0x610000
                                                                                                                                                File size:187'904 bytes
                                                                                                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:11
                                                                                                                                                Start time:03:03:03
                                                                                                                                                Start date:24/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:12
                                                                                                                                                Start time:03:03:03
                                                                                                                                                Start date:24/10/2024
                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                                                                Imagebase:0x980000
                                                                                                                                                File size:45'984 bytes
                                                                                                                                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:13
                                                                                                                                                Start time:03:03:04
                                                                                                                                                Start date:24/10/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\mstsc.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Windows\SysWOW64\mstsc.exe"
                                                                                                                                                Imagebase:0x8f0000
                                                                                                                                                File size:1'264'640 bytes
                                                                                                                                                MD5 hash:EA4A02BE14C405327EEBA8D9AD2BD42C
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:14
                                                                                                                                                Start time:03:03:04
                                                                                                                                                Start date:24/10/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\raserver.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Windows\SysWOW64\raserver.exe"
                                                                                                                                                Imagebase:0x270000
                                                                                                                                                File size:107'520 bytes
                                                                                                                                                MD5 hash:D1053D114847677185F248FF98C3F255
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:15
                                                                                                                                                Start time:03:03:08
                                                                                                                                                Start date:24/10/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                                                                Imagebase:0x240000
                                                                                                                                                File size:236'544 bytes
                                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:16
                                                                                                                                                Start time:03:03:08
                                                                                                                                                Start date:24/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                Disassembly

                                                                                                                                                Reset < >

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:11.1%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                  Signature Coverage:2.4%
                                                                                                                                                  Total number of Nodes:248
                                                                                                                                                  Total number of Limit Nodes:11
                                                                                                                                                  execution_graph 42156 118d138 42157 118d17e GetCurrentProcess 42156->42157 42159 118d1c9 42157->42159 42160 118d1d0 GetCurrentThread 42157->42160 42159->42160 42161 118d20d GetCurrentProcess 42160->42161 42162 118d206 42160->42162 42163 118d243 42161->42163 42162->42161 42164 118d26b GetCurrentThreadId 42163->42164 42165 118d29c 42164->42165 42166 118af78 42167 118afba 42166->42167 42168 118afc0 GetModuleHandleW 42166->42168 42167->42168 42169 118afed 42168->42169 42170 1184668 42171 1184672 42170->42171 42173 1184763 42170->42173 42174 118477d 42173->42174 42178 1184868 42174->42178 42182 1184863 42174->42182 42179 118488f 42178->42179 42180 118496c 42179->42180 42186 118449c 42179->42186 42184 118488f 42182->42184 42183 118496c 42183->42183 42184->42183 42185 118449c CreateActCtxA 42184->42185 42185->42183 42187 11858f8 CreateActCtxA 42186->42187 42189 11859bb 42187->42189 41881 76929e8 41882 7692a0c 41881->41882 41885 76932e8 41882->41885 41889 76932f0 41882->41889 41886 7693336 OutputDebugStringW 41885->41886 41888 769336f 41886->41888 41888->41882 41890 7693336 OutputDebugStringW 41889->41890 41892 769336f 41890->41892 41892->41882 41893 561dea0 41895 561deac 41893->41895 41894 561debd 41898 7690cb9 41895->41898 41903 7690cc8 41895->41903 41899 7690cc8 41898->41899 41908 7691c00 41899->41908 41913 7691bf0 41899->41913 41900 7690d8e 41900->41894 41904 7690ce4 41903->41904 41906 7691c00 2 API calls 41904->41906 41907 7691bf0 2 API calls 41904->41907 41905 7690d8e 41905->41894 41906->41905 41907->41905 41909 7691c12 41908->41909 41918 7691c40 41909->41918 41926 7691c32 41909->41926 41910 7691c26 41910->41900 41914 7691bf3 41913->41914 41916 7691c40 2 API calls 41914->41916 41917 7691c32 2 API calls 41914->41917 41915 7691c26 41915->41900 41916->41915 41917->41915 41919 7691c5a 41918->41919 41921 7691c71 41919->41921 41938 7691c87 41919->41938 41920 7691c7d 41920->41910 41925 7691c87 2 API calls 41921->41925 41945 7691d10 41921->41945 41950 7691d00 41921->41950 41925->41920 41927 7691c3b 41926->41927 41928 7691c6f 41926->41928 41930 7691c71 41927->41930 41934 7691c87 2 API calls 41927->41934 41929 7691c7d 41928->41929 41931 7691d00 2 API calls 41928->41931 41932 7691d10 2 API calls 41928->41932 41933 7691c87 2 API calls 41928->41933 41929->41910 41935 7691d00 2 API calls 41930->41935 41936 7691d10 2 API calls 41930->41936 41937 7691c87 2 API calls 41930->41937 41931->41929 41932->41929 41933->41929 41934->41930 41935->41929 41936->41929 41937->41929 41939 7691c8b 41938->41939 41941 7691cbf 41938->41941 41939->41921 41940 7691cca 41940->41921 41941->41940 41955 7691e68 41941->41955 41959 7691e70 41941->41959 41942 7691dbb 41942->41921 41946 7691d34 41945->41946 41948 7691e68 NtQueryInformationProcess 41946->41948 41949 7691e70 NtQueryInformationProcess 41946->41949 41947 7691dbb 41947->41920 41948->41947 41949->41947 41951 7691d07 41950->41951 41953 7691e68 NtQueryInformationProcess 41951->41953 41954 7691e70 NtQueryInformationProcess 41951->41954 41952 7691dbb 41952->41920 41953->41952 41954->41952 41956 7691e6b NtQueryInformationProcess 41955->41956 41958 7691efe 41956->41958 41958->41942 41960 7691e9f NtQueryInformationProcess 41959->41960 41962 7691efe 41960->41962 41962->41942 42190 769e01f 42192 769dfc1 42190->42192 42191 769dfd1 42192->42191 42193 eaf0b6e 12 API calls 42192->42193 42194 eaf0ac0 12 API calls 42192->42194 42195 eaf0b00 12 API calls 42192->42195 42196 eaf0b10 12 API calls 42192->42196 42193->42191 42194->42191 42195->42191 42196->42191 42145 eaf1cf8 42146 eaf1e83 42145->42146 42147 eaf1d1e 42145->42147 42147->42146 42150 eaf1f78 PostMessageW 42147->42150 42152 eaf1f70 PostMessageW 42147->42152 42151 eaf1fe4 42150->42151 42151->42147 42153 eaf1fe4 42152->42153 42153->42147 42154 118d380 DuplicateHandle 42155 118d416 42154->42155 41963 769e263 41964 769dfc1 41963->41964 41965 769dfd1 41964->41965 41970 eaf0b00 41964->41970 41986 eaf0ac0 41964->41986 42003 eaf0b6e 41964->42003 42020 eaf0b10 41964->42020 41971 eaf0b21 41970->41971 41972 eaf0b4e 41971->41972 42036 eaf13d7 41971->42036 42042 eaf1477 41971->42042 42047 eaf1519 41971->42047 42052 eaf16bd 41971->42052 42056 eaf0fbd 41971->42056 42060 eaf103f 41971->42060 42065 eaf14bf 41971->42065 42070 eaf137f 41971->42070 42074 eaf1080 41971->42074 42079 eaf12c0 41971->42079 42083 eaf1102 41971->42083 42087 eaf1324 41971->42087 42092 eaf17b0 41971->42092 41972->41965 41987 eaf0b21 41986->41987 41988 eaf0a7d 41986->41988 41989 eaf0b4e 41987->41989 41990 eaf1324 2 API calls 41987->41990 41991 eaf1102 2 API calls 41987->41991 41992 eaf12c0 2 API calls 41987->41992 41993 eaf1080 2 API calls 41987->41993 41994 eaf137f 2 API calls 41987->41994 41995 eaf14bf 2 API calls 41987->41995 41996 eaf103f 2 API calls 41987->41996 41997 eaf0fbd 2 API calls 41987->41997 41998 eaf16bd 2 API calls 41987->41998 41999 eaf1519 2 API calls 41987->41999 42000 eaf1477 2 API calls 41987->42000 42001 eaf13d7 2 API calls 41987->42001 42002 eaf17b0 2 API calls 41987->42002 41988->41965 41989->41965 41990->41989 41991->41989 41992->41989 41993->41989 41994->41989 41995->41989 41996->41989 41997->41989 41998->41989 41999->41989 42000->41989 42001->41989 42002->41989 42004 eaf0afc 42003->42004 42005 eaf0b71 42003->42005 42006 eaf0b4e 42004->42006 42007 eaf1324 2 API calls 42004->42007 42008 eaf1102 2 API calls 42004->42008 42009 eaf12c0 2 API calls 42004->42009 42010 eaf1080 2 API calls 42004->42010 42011 eaf137f 2 API calls 42004->42011 42012 eaf14bf 2 API calls 42004->42012 42013 eaf103f 2 API calls 42004->42013 42014 eaf0fbd 2 API calls 42004->42014 42015 eaf16bd 2 API calls 42004->42015 42016 eaf1519 2 API calls 42004->42016 42017 eaf1477 2 API calls 42004->42017 42018 eaf13d7 2 API calls 42004->42018 42019 eaf17b0 2 API calls 42004->42019 42005->41965 42006->41965 42007->42006 42008->42006 42009->42006 42010->42006 42011->42006 42012->42006 42013->42006 42014->42006 42015->42006 42016->42006 42017->42006 42018->42006 42019->42006 42021 eaf0b21 42020->42021 42022 eaf0b4e 42021->42022 42023 eaf1324 2 API calls 42021->42023 42024 eaf1102 2 API calls 42021->42024 42025 eaf12c0 2 API calls 42021->42025 42026 eaf1080 2 API calls 42021->42026 42027 eaf137f 2 API calls 42021->42027 42028 eaf14bf 2 API calls 42021->42028 42029 eaf103f 2 API calls 42021->42029 42030 eaf0fbd 2 API calls 42021->42030 42031 eaf16bd 2 API calls 42021->42031 42032 eaf1519 2 API calls 42021->42032 42033 eaf1477 2 API calls 42021->42033 42034 eaf13d7 2 API calls 42021->42034 42035 eaf17b0 2 API calls 42021->42035 42022->41965 42023->42022 42024->42022 42025->42022 42026->42022 42027->42022 42028->42022 42029->42022 42030->42022 42031->42022 42032->42022 42033->42022 42034->42022 42035->42022 42037 eaf13f1 42036->42037 42038 eaf1838 42037->42038 42097 769d258 42037->42097 42101 769d250 42037->42101 42038->41972 42039 eaf1026 42043 eaf147d 42042->42043 42045 769d258 ResumeThread 42043->42045 42046 769d250 ResumeThread 42043->42046 42044 eaf1026 42045->42044 42046->42044 42105 769d8d8 42047->42105 42109 769d8d1 42047->42109 42048 eaf1880 42048->41972 42049 eaf122e 42049->42047 42049->42048 42113 769d739 42052->42113 42117 769d740 42052->42117 42053 eaf16d7 42121 769db60 42056->42121 42125 769db55 42056->42125 42061 eaf1051 42060->42061 42129 769d811 42061->42129 42133 769d818 42061->42133 42062 eaf17d2 42067 eaf1051 42065->42067 42066 eaf17d2 42068 769d818 VirtualAllocEx 42067->42068 42069 769d811 VirtualAllocEx 42067->42069 42068->42066 42069->42066 42072 769d739 Wow64SetThreadContext 42070->42072 42073 769d740 Wow64SetThreadContext 42070->42073 42071 eaf1399 42072->42071 42073->42071 42075 eaf1051 42074->42075 42077 769d818 VirtualAllocEx 42075->42077 42078 769d811 VirtualAllocEx 42075->42078 42076 eaf17d2 42077->42076 42078->42076 42137 769d9c8 42079->42137 42141 769d9c0 42079->42141 42080 eaf12e5 42085 769d8d8 WriteProcessMemory 42083->42085 42086 769d8d1 WriteProcessMemory 42083->42086 42084 eaf1137 42084->41972 42085->42084 42086->42084 42088 eaf1339 42087->42088 42090 769d8d8 WriteProcessMemory 42088->42090 42091 769d8d1 WriteProcessMemory 42088->42091 42089 eaf1621 42090->42089 42091->42089 42093 eaf17b4 42092->42093 42095 769d818 VirtualAllocEx 42093->42095 42096 769d811 VirtualAllocEx 42093->42096 42094 eaf17d2 42095->42094 42096->42094 42098 769d298 ResumeThread 42097->42098 42100 769d2c9 42098->42100 42100->42039 42102 769d298 ResumeThread 42101->42102 42104 769d2c9 42102->42104 42104->42039 42106 769d920 WriteProcessMemory 42105->42106 42108 769d977 42106->42108 42108->42049 42110 769d920 WriteProcessMemory 42109->42110 42112 769d977 42110->42112 42112->42049 42114 769d785 Wow64SetThreadContext 42113->42114 42116 769d7cd 42114->42116 42116->42053 42118 769d785 Wow64SetThreadContext 42117->42118 42120 769d7cd 42118->42120 42120->42053 42122 769dbe9 CreateProcessA 42121->42122 42124 769ddab 42122->42124 42124->42124 42126 769dbe9 CreateProcessA 42125->42126 42128 769ddab 42126->42128 42128->42128 42130 769d858 VirtualAllocEx 42129->42130 42132 769d895 42130->42132 42132->42062 42134 769d858 VirtualAllocEx 42133->42134 42136 769d895 42134->42136 42136->42062 42138 769da13 ReadProcessMemory 42137->42138 42140 769da57 42138->42140 42140->42080 42142 769da13 ReadProcessMemory 42141->42142 42144 769da57 42142->42144 42144->42080

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 056184B8 Relevance: 8.4, Strings: 6, Instructions: 889COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1739437795.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_5610000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: (okq$(okq$(okq$,oq$,oq$Hoq
                                                                                                                                                  • API String ID: 0-2698134226
                                                                                                                                                  • Opcode ID: 0b9036cc8d963bc992b11904454e81f51d5b652496576dd19d6def7f121a0dda
                                                                                                                                                  • Instruction ID: 139cbfc222763957037f876e41c89eac93fb14b5cf44a8b02f89f771f4d24b42
                                                                                                                                                  • Opcode Fuzzy Hash: 0b9036cc8d963bc992b11904454e81f51d5b652496576dd19d6def7f121a0dda
                                                                                                                                                  • Instruction Fuzzy Hash: D4726070A002199FCB14DF69C994ABEBBF6FF88340F288169E805AB365DB35DD41CB54
                                                                                                                                                  Function 0561B4E0 Relevance: 6.1, Strings: 4, Instructions: 1116COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1739437795.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_5610000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: (okq$4'kq$4'kq$4'kq
                                                                                                                                                  • API String ID: 0-323808577
                                                                                                                                                  • Opcode ID: 8eee230a461ccd1830873e46004b90a48232a0f5ffc96fc95933706e067309d8
                                                                                                                                                  • Instruction ID: 5fca8dc2c63b34f829a73402d96af3917b94aa0788e334e71991c00ac4b0d8ef
                                                                                                                                                  • Opcode Fuzzy Hash: 8eee230a461ccd1830873e46004b90a48232a0f5ffc96fc95933706e067309d8
                                                                                                                                                  • Instruction Fuzzy Hash: C6A28E74A042099FDB15CF68C984ABEBBB2FF49300F198569E806DB361DB35ED41CB58
                                                                                                                                                  Function 07691E68 Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 07691EEF
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InformationProcessQuery
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1778838933-0
                                                                                                                                                  • Opcode ID: 1a887d13cd2056fa90cab651f3ab2660af87020fcc537863f5332d571e1290eb
                                                                                                                                                  • Instruction ID: 3762fbce7dc3b75270a1c494a5519aaa42024007968ee5c8ef3c0f4c72fd982c
                                                                                                                                                  • Opcode Fuzzy Hash: 1a887d13cd2056fa90cab651f3ab2660af87020fcc537863f5332d571e1290eb
                                                                                                                                                  • Instruction Fuzzy Hash: 7F21EFB5900659DFCB10CF99D884ADEBBF4FB48310F20842AE919A7250D375A544CFA4
                                                                                                                                                  Function 07691E70 Relevance: 1.6, APIs: 1, Instructions: 55nativeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 07691EEF
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InformationProcessQuery
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1778838933-0
                                                                                                                                                  • Opcode ID: ebd69a8e0422f3ac41d1865c92b812c2e2d502f940e8300e56949667a179c9c1
                                                                                                                                                  • Instruction ID: b88ce12a4b6ad64a847f87037729872972828396181e580ba78a3e60fe85fc22
                                                                                                                                                  • Opcode Fuzzy Hash: ebd69a8e0422f3ac41d1865c92b812c2e2d502f940e8300e56949667a179c9c1
                                                                                                                                                  • Instruction Fuzzy Hash: 9521EEB5900259DFCB10CF9AD884ACEFBF4FB48320F20842AE918A7310D374A944CFA4
                                                                                                                                                  Function 0561F1A0 Relevance: .5, Instructions: 506COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1739437795.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_5610000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 387e228ef09986e0b5d5d1feb4fd260f4f0c3a2165fdb4237fdb4c3b2dd35b24
                                                                                                                                                  • Instruction ID: 1ac0092e5fb4c31340111f9c3fd8c891e71eb2660da853142003e5dc150db21b
                                                                                                                                                  • Opcode Fuzzy Hash: 387e228ef09986e0b5d5d1feb4fd260f4f0c3a2165fdb4237fdb4c3b2dd35b24
                                                                                                                                                  • Instruction Fuzzy Hash: 1B429274E01219CFDB54CFA9C984BADBBB6BF88310F1481A9E809A7355DB31AD81CF50
                                                                                                                                                  Function 0561DED0 Relevance: .5, Instructions: 482COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1739437795.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_5610000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: bad86c27d514fe8e37dbff3a6f97e4ed2bab12ac1ae6afac0b96630a8eff8862
                                                                                                                                                  • Instruction ID: a0ff35a352734dcc8baeff1370a569eefd97b26b7fec775e09c61a8c24ea819c
                                                                                                                                                  • Opcode Fuzzy Hash: bad86c27d514fe8e37dbff3a6f97e4ed2bab12ac1ae6afac0b96630a8eff8862
                                                                                                                                                  • Instruction Fuzzy Hash: 5532E470A01218CFDB54DF69C580A9EFBB2BF48311F59D195E848AB212DB31ED85CF68
                                                                                                                                                  Function 0EAF2958 Relevance: .4, Instructions: 399COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1744618554.000000000EAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EAF0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_eaf0000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 82c9b409d612c3eec0b7f567842c818435013c763b9267e2cc12d9ed72bf0dcc
                                                                                                                                                  • Instruction ID: d1cb449b3e9c40bbc4f1dd365bece0b933d5d1ac9a0d8eb468a9144353463757
                                                                                                                                                  • Opcode Fuzzy Hash: 82c9b409d612c3eec0b7f567842c818435013c763b9267e2cc12d9ed72bf0dcc
                                                                                                                                                  • Instruction Fuzzy Hash: A9E1C0307016058FDB29EBB9D4607AE77FAAF89304F14846DE246DB2A0DB35EC01CB65
                                                                                                                                                  Function 0769268C Relevance: .2, Instructions: 189COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: caec1dfe8d2de46f2bb57998ee7c0c2cbfa039c3b2875586b19629767c07943b
                                                                                                                                                  • Instruction ID: a8e32e41fc51b95c19360740a8ac11c81546c74e3e74165667dba0a3620b59d3
                                                                                                                                                  • Opcode Fuzzy Hash: caec1dfe8d2de46f2bb57998ee7c0c2cbfa039c3b2875586b19629767c07943b
                                                                                                                                                  • Instruction Fuzzy Hash: 45612AB5E012199FCF05DFEAD8449AEBBF6FF89310F148429E816A7354DB349906CB50
                                                                                                                                                  Function 0561F190 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1739437795.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_5610000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 29bdad278dab1953e128a57a838a5f3a42a3560c66f2281eb0a84e5e3520242b
                                                                                                                                                  • Instruction ID: 92faf43bef77b812aa0af75e1a628b63033d39d766f7b41e0328a7487bc05fd9
                                                                                                                                                  • Opcode Fuzzy Hash: 29bdad278dab1953e128a57a838a5f3a42a3560c66f2281eb0a84e5e3520242b
                                                                                                                                                  • Instruction Fuzzy Hash: 0561A6B5E01218DFDB54CFAAD994B9DBBF2BF88300F1481A9E809AB354DB319941CF54
                                                                                                                                                  Function 0561DEC0 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1739437795.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_5610000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 673aee190bc2585484845250177605be1c37f01baa890c023c4cc4205f19c5fc
                                                                                                                                                  • Instruction ID: 4289498c942117d150602a289186a4a82f66a83f02501bbff79350faa59d8d50
                                                                                                                                                  • Opcode Fuzzy Hash: 673aee190bc2585484845250177605be1c37f01baa890c023c4cc4205f19c5fc
                                                                                                                                                  • Instruction Fuzzy Hash: 4541D9B1E006198FEB58DF6AC94079EBBB2BFC9300F14C0AAD44CA7254EB355A85CF55
                                                                                                                                                  Function 0EAF10C4 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1744618554.000000000EAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EAF0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_eaf0000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9fe3da24044b554395d272284242eb9f843a95a4c926b0123714fdd7c55811c6
                                                                                                                                                  • Instruction ID: 84268052a9a9d51bd5901d1d50d915721ed8ff0b4cf347382b982c65d3df071a
                                                                                                                                                  • Opcode Fuzzy Hash: 9fe3da24044b554395d272284242eb9f843a95a4c926b0123714fdd7c55811c6
                                                                                                                                                  • Instruction Fuzzy Hash: C1E0B6B580F244CBCB409FA5D4954B8BBBCAB1F310FA5609AE54A97213DA215E80DA08
                                                                                                                                                  Function 0EAF1860 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1744618554.000000000EAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EAF0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_eaf0000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ba4a54a48898c5dd09875d66a0622ae5edfe77b58356f356f6356678395280b7
                                                                                                                                                  • Instruction ID: 7d23ef32c5455b3f1f30a4cce100031bd8aef2d0548421e83655f131bbe512b8
                                                                                                                                                  • Opcode Fuzzy Hash: ba4a54a48898c5dd09875d66a0622ae5edfe77b58356f356f6356678395280b7
                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                  Function 0118D138 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 915 118d138-118d1c7 GetCurrentProcess 919 118d1c9-118d1cf 915->919 920 118d1d0-118d204 GetCurrentThread 915->920 919->920 921 118d20d-118d241 GetCurrentProcess 920->921 922 118d206-118d20c 920->922 923 118d24a-118d265 call 118d308 921->923 924 118d243-118d249 921->924 922->921 928 118d26b-118d29a GetCurrentThreadId 923->928 924->923 929 118d29c-118d2a2 928->929 930 118d2a3-118d305 928->930 929->930
                                                                                                                                                  APIs
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 0118D1B6
                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 0118D1F3
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 0118D230
                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0118D289
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735028574.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_1180000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2063062207-0
                                                                                                                                                  • Opcode ID: 083f044a7e80146a14474f33367cc226928c6c708d2bc40c67592bb8f8be1c15
                                                                                                                                                  • Instruction ID: 110ac44d7b3b2f4c912497ec686d1a15b283a768331af7707b8b255777eba315
                                                                                                                                                  • Opcode Fuzzy Hash: 083f044a7e80146a14474f33367cc226928c6c708d2bc40c67592bb8f8be1c15
                                                                                                                                                  • Instruction Fuzzy Hash: 9F5135B09007098FDB18DFA9D588BDEBBF1AF48314F20C459E159A73A0DB749984CF65
                                                                                                                                                  Function 0118D133 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 893 118d133-118d1c7 GetCurrentProcess 897 118d1c9-118d1cf 893->897 898 118d1d0-118d204 GetCurrentThread 893->898 897->898 899 118d20d-118d241 GetCurrentProcess 898->899 900 118d206-118d20c 898->900 901 118d24a-118d265 call 118d308 899->901 902 118d243-118d249 899->902 900->899 906 118d26b-118d29a GetCurrentThreadId 901->906 902->901 907 118d29c-118d2a2 906->907 908 118d2a3-118d305 906->908 907->908
                                                                                                                                                  APIs
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 0118D1B6
                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 0118D1F3
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 0118D230
                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0118D289
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735028574.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_1180000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2063062207-0
                                                                                                                                                  • Opcode ID: 4094113b5ea5de0fe23e287927322c5a5cd93cdc1c1daa22761d875be85d9e87
                                                                                                                                                  • Instruction ID: e7a371dccf9bcc19742f132e9525ef77c446c638dad3e09dc2e0697a5fb83511
                                                                                                                                                  • Opcode Fuzzy Hash: 4094113b5ea5de0fe23e287927322c5a5cd93cdc1c1daa22761d875be85d9e87
                                                                                                                                                  • Instruction Fuzzy Hash: D05135B09007098FDB18DFA9D688BDEBBF1AF48314F20C459E459A73A0DB349984CF65
                                                                                                                                                  Function 0769DB55 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1904 769db55-769dbf5 1906 769dc2e-769dc4e 1904->1906 1907 769dbf7-769dc01 1904->1907 1912 769dc50-769dc5a 1906->1912 1913 769dc87-769dcb6 1906->1913 1907->1906 1908 769dc03-769dc05 1907->1908 1910 769dc28-769dc2b 1908->1910 1911 769dc07-769dc11 1908->1911 1910->1906 1914 769dc13 1911->1914 1915 769dc15-769dc24 1911->1915 1912->1913 1916 769dc5c-769dc5e 1912->1916 1923 769dcb8-769dcc2 1913->1923 1924 769dcef-769dda9 CreateProcessA 1913->1924 1914->1915 1915->1915 1917 769dc26 1915->1917 1918 769dc81-769dc84 1916->1918 1919 769dc60-769dc6a 1916->1919 1917->1910 1918->1913 1921 769dc6c 1919->1921 1922 769dc6e-769dc7d 1919->1922 1921->1922 1922->1922 1925 769dc7f 1922->1925 1923->1924 1926 769dcc4-769dcc6 1923->1926 1935 769ddab-769ddb1 1924->1935 1936 769ddb2-769de38 1924->1936 1925->1918 1927 769dce9-769dcec 1926->1927 1928 769dcc8-769dcd2 1926->1928 1927->1924 1930 769dcd4 1928->1930 1931 769dcd6-769dce5 1928->1931 1930->1931 1931->1931 1932 769dce7 1931->1932 1932->1927 1935->1936 1946 769de48-769de4c 1936->1946 1947 769de3a-769de3e 1936->1947 1948 769de5c-769de60 1946->1948 1949 769de4e-769de52 1946->1949 1947->1946 1950 769de40 1947->1950 1952 769de70-769de74 1948->1952 1953 769de62-769de66 1948->1953 1949->1948 1951 769de54 1949->1951 1950->1946 1951->1948 1955 769de86-769de8d 1952->1955 1956 769de76-769de7c 1952->1956 1953->1952 1954 769de68 1953->1954 1954->1952 1957 769de8f-769de9e 1955->1957 1958 769dea4 1955->1958 1956->1955 1957->1958 1959 769dea5 1958->1959 1959->1959
                                                                                                                                                  APIs
                                                                                                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0769DD96
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                  • Opcode ID: 9de5668546cb45f7ee1783c324fbc03ede075e0e088ff3a170758a34259fb7c4
                                                                                                                                                  • Instruction ID: 409c38cd8925d76a1ce506ee3a5be93f7dac2d5dd38436e22db101702385c381
                                                                                                                                                  • Opcode Fuzzy Hash: 9de5668546cb45f7ee1783c324fbc03ede075e0e088ff3a170758a34259fb7c4
                                                                                                                                                  • Instruction Fuzzy Hash: 1AA139B1E0021ADFDF24DF68C841BEDBBBAAF48314F1485B9D809A7250DB749985CF91
                                                                                                                                                  Function 0769DB60 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1961 769db60-769dbf5 1963 769dc2e-769dc4e 1961->1963 1964 769dbf7-769dc01 1961->1964 1969 769dc50-769dc5a 1963->1969 1970 769dc87-769dcb6 1963->1970 1964->1963 1965 769dc03-769dc05 1964->1965 1967 769dc28-769dc2b 1965->1967 1968 769dc07-769dc11 1965->1968 1967->1963 1971 769dc13 1968->1971 1972 769dc15-769dc24 1968->1972 1969->1970 1973 769dc5c-769dc5e 1969->1973 1980 769dcb8-769dcc2 1970->1980 1981 769dcef-769dda9 CreateProcessA 1970->1981 1971->1972 1972->1972 1974 769dc26 1972->1974 1975 769dc81-769dc84 1973->1975 1976 769dc60-769dc6a 1973->1976 1974->1967 1975->1970 1978 769dc6c 1976->1978 1979 769dc6e-769dc7d 1976->1979 1978->1979 1979->1979 1982 769dc7f 1979->1982 1980->1981 1983 769dcc4-769dcc6 1980->1983 1992 769ddab-769ddb1 1981->1992 1993 769ddb2-769de38 1981->1993 1982->1975 1984 769dce9-769dcec 1983->1984 1985 769dcc8-769dcd2 1983->1985 1984->1981 1987 769dcd4 1985->1987 1988 769dcd6-769dce5 1985->1988 1987->1988 1988->1988 1989 769dce7 1988->1989 1989->1984 1992->1993 2003 769de48-769de4c 1993->2003 2004 769de3a-769de3e 1993->2004 2005 769de5c-769de60 2003->2005 2006 769de4e-769de52 2003->2006 2004->2003 2007 769de40 2004->2007 2009 769de70-769de74 2005->2009 2010 769de62-769de66 2005->2010 2006->2005 2008 769de54 2006->2008 2007->2003 2008->2005 2012 769de86-769de8d 2009->2012 2013 769de76-769de7c 2009->2013 2010->2009 2011 769de68 2010->2011 2011->2009 2014 769de8f-769de9e 2012->2014 2015 769dea4 2012->2015 2013->2012 2014->2015 2016 769dea5 2015->2016 2016->2016
                                                                                                                                                  APIs
                                                                                                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0769DD96
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                  • Opcode ID: af8eb1cf0c313f68c84a89966637ce1312505b241f1e1d97716a0bd5e980d01a
                                                                                                                                                  • Instruction ID: cd60930cacf086d0922852b05ebb7aa00b433c4f14e7177ea1ccd77f0902dc26
                                                                                                                                                  • Opcode Fuzzy Hash: af8eb1cf0c313f68c84a89966637ce1312505b241f1e1d97716a0bd5e980d01a
                                                                                                                                                  • Instruction Fuzzy Hash: 91913BB1E0021ADFDF24DF68C8417ADBBBABF48314F1485B9D809A7250DB749985CF91
                                                                                                                                                  Function 0118449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 011859A9
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735028574.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_1180000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Create
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                  • Opcode ID: 37a5b68651b61388a8f246b794c14f89acf60c147d3ff244ac864d649389cf39
                                                                                                                                                  • Instruction ID: 14866b0ac71be46af92b1cdb5095e26226612f9c9dd6c498584b7f1651bf49fe
                                                                                                                                                  • Opcode Fuzzy Hash: 37a5b68651b61388a8f246b794c14f89acf60c147d3ff244ac864d649389cf39
                                                                                                                                                  • Instruction Fuzzy Hash: 5B41B5B0C00719CFDB24DF99C98479EBBB6FF49304F24806AD409AB255DB756945CF90
                                                                                                                                                  Function 011858EF Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 011859A9
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735028574.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_1180000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Create
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                  • Opcode ID: 6990056441362904f0093aafb5b5ae9e22424121cf51347dc4966240d22e7ab8
                                                                                                                                                  • Instruction ID: 5b7d03920634143129212282e5f25f2d96906645df126905d7a4209feff31be1
                                                                                                                                                  • Opcode Fuzzy Hash: 6990056441362904f0093aafb5b5ae9e22424121cf51347dc4966240d22e7ab8
                                                                                                                                                  • Instruction Fuzzy Hash: D541C2B0C00719CBDB24DFA9C984B9EFBB6FF49304F24805AD409AB265DB756985CF90
                                                                                                                                                  Function 0769D8D1 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0769D968
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3559483778-0
                                                                                                                                                  • Opcode ID: a8923f8204095c3458e2b3e95ac9525d83a1d0c3e1ac2f600bfbafb6e8e4d8f4
                                                                                                                                                  • Instruction ID: b02666edf7cd7b05e1dbc702a191b53e7c7f77942978b00e00e9235863e2df3e
                                                                                                                                                  • Opcode Fuzzy Hash: a8923f8204095c3458e2b3e95ac9525d83a1d0c3e1ac2f600bfbafb6e8e4d8f4
                                                                                                                                                  • Instruction Fuzzy Hash: E82137B1900259DFCF10DFA9C985BEEBBF5FF48310F10842AE959A7250C7749954CBA0
                                                                                                                                                  Function 0769D8D8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0769D968
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3559483778-0
                                                                                                                                                  • Opcode ID: 57a945ba0179299426ed4caa151e4fa122232f6328f8b15460d1401ce8b9b6d4
                                                                                                                                                  • Instruction ID: 44b62abad40ed0a9fcaebe8245122dd87de5334ed82cbc47c453fc09369b96b0
                                                                                                                                                  • Opcode Fuzzy Hash: 57a945ba0179299426ed4caa151e4fa122232f6328f8b15460d1401ce8b9b6d4
                                                                                                                                                  • Instruction Fuzzy Hash: 2D2124B1900359DFCB10DFA9C985BDEBBF5FF48320F10842AE959A7250C778A954CBA4
                                                                                                                                                  Function 0769D739 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0769D7BE
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ContextThreadWow64
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 983334009-0
                                                                                                                                                  • Opcode ID: f001d0639fc3c97294fdfebfa05dafbe8c7a112b4f70dc9433a651516a3c7c8e
                                                                                                                                                  • Instruction ID: 7ae6b5ff16a6447fb37adf5712cba9306f19d8e0e174dd36a10a3b170b0639b6
                                                                                                                                                  • Opcode Fuzzy Hash: f001d0639fc3c97294fdfebfa05dafbe8c7a112b4f70dc9433a651516a3c7c8e
                                                                                                                                                  • Instruction Fuzzy Hash: BE213AB2D002098FDB10DFAAC485BEEBBF4EF48324F10842ED459A7240D7789545CFA4
                                                                                                                                                  Function 0769D9C0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0769DA48
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProcessRead
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1726664587-0
                                                                                                                                                  • Opcode ID: 99fd814dd5fe0bf5484d77561b0b64b9746143f9e0b808bd7d9cb421bfbe8dc4
                                                                                                                                                  • Instruction ID: f8ca45bac893b12af44a3f68c6852fde66b94bbf08c71cb62301df3d6e260fde
                                                                                                                                                  • Opcode Fuzzy Hash: 99fd814dd5fe0bf5484d77561b0b64b9746143f9e0b808bd7d9cb421bfbe8dc4
                                                                                                                                                  • Instruction Fuzzy Hash: 242136B2D002599FDB10DFAAD881AEEFBF5FF48320F10842AE559A7250C7349555CBA0
                                                                                                                                                  Function 0118D379 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0118D407
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735028574.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_1180000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                  • Opcode ID: 1b1fb15c6fcf4390c9ac271955201d490244342220d28526a0859b18923b59ff
                                                                                                                                                  • Instruction ID: b45ec34865263fc06c5a9cafc9b4930ef75538e80801360e6d8731736d2bad87
                                                                                                                                                  • Opcode Fuzzy Hash: 1b1fb15c6fcf4390c9ac271955201d490244342220d28526a0859b18923b59ff
                                                                                                                                                  • Instruction Fuzzy Hash: 9121E3B5900218DFDB10CFA9D584AEEBBF4EB08310F14841AE958A7350D379A944CFA0
                                                                                                                                                  Function 0769D740 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0769D7BE
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ContextThreadWow64
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 983334009-0
                                                                                                                                                  • Opcode ID: d987698831755efcf790683a6d96ee3abbe7667a8d54a27e6727ef1ae1c3a003
                                                                                                                                                  • Instruction ID: e115db309a2fc22595ad19e020ce5ff69202c4e28ab27bf797a0b3aca74d72d5
                                                                                                                                                  • Opcode Fuzzy Hash: d987698831755efcf790683a6d96ee3abbe7667a8d54a27e6727ef1ae1c3a003
                                                                                                                                                  • Instruction Fuzzy Hash: 5C2118B19003098FDB10DFAAC5857EEBBF4EF48324F14842AD459A7240D778A945CFA4
                                                                                                                                                  Function 0769D9C8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0769DA48
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProcessRead
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1726664587-0
                                                                                                                                                  • Opcode ID: e94c4e1e85edeaaa6d87557a11c5949eec8dff2f94fa0d3028b6842b24b67501
                                                                                                                                                  • Instruction ID: 68b48ab966af487b60831ea406d0f7d0c51ab4d8c7180d00a8c742fe043c0b0e
                                                                                                                                                  • Opcode Fuzzy Hash: e94c4e1e85edeaaa6d87557a11c5949eec8dff2f94fa0d3028b6842b24b67501
                                                                                                                                                  • Instruction Fuzzy Hash: B12128B19003599FCB10DFAAC880ADEFBF5FF48320F108429E559A7250C7349554CBA4
                                                                                                                                                  Function 0118D380 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0118D407
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735028574.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_1180000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                  • Opcode ID: 08b817a9d38ef0a4d033f4d91c98011adaa0a3d5f6aa3e08c32e72b3fe69112b
                                                                                                                                                  • Instruction ID: 35794375059d09772386362f47aaaa41166d125b4c40072164b62f4a485a2a2b
                                                                                                                                                  • Opcode Fuzzy Hash: 08b817a9d38ef0a4d033f4d91c98011adaa0a3d5f6aa3e08c32e72b3fe69112b
                                                                                                                                                  • Instruction Fuzzy Hash: 8021E2B5900248DFDB10CFAAD984ADEFFF8EB48320F14801AE918A3350D374A944CFA4
                                                                                                                                                  Function 0769D811 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0769D886
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                  • Opcode ID: 0c2fa12b2df0464e817c1ee5cd90db5ffaa5ff2215d7ce41984aeb3b1fc4e6a8
                                                                                                                                                  • Instruction ID: 81553de9baa6263f0be4edf9087f142d2e01def05a4b4ec8303e34a173da254d
                                                                                                                                                  • Opcode Fuzzy Hash: 0c2fa12b2df0464e817c1ee5cd90db5ffaa5ff2215d7ce41984aeb3b1fc4e6a8
                                                                                                                                                  • Instruction Fuzzy Hash: 1F2167B2900249CFCB20DFA9D844AEEFBF5EF88320F108429D459A7250C735A954CFA0
                                                                                                                                                  Function 0769D250 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • ResumeThread.KERNELBASE(?), ref: 0769D2BA
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ResumeThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 947044025-0
                                                                                                                                                  • Opcode ID: 3cc52c3ba396e1fa08199bfbb21775704f6a5deef9ea1084c3b39815f9123b11
                                                                                                                                                  • Instruction ID: 55b227d4abb5a5fe05b05b3f7c0ec869bfb71fabcc204e4ff973e38ffbab5338
                                                                                                                                                  • Opcode Fuzzy Hash: 3cc52c3ba396e1fa08199bfbb21775704f6a5deef9ea1084c3b39815f9123b11
                                                                                                                                                  • Instruction Fuzzy Hash: C01134B19002598ECB20DFAAD5457EEFBF4EF88324F20882AC559A7250CB75A945CF94
                                                                                                                                                  Function 0769D818 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0769D886
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                  • Opcode ID: 960aa0b820ccdfc7a5435108be07c7e420248008bc83b99ac4cc1403e94bca44
                                                                                                                                                  • Instruction ID: a653dc1f31cc3d8c5b208565681fbcd9c59e1dd4c8b51426a4522c61c6cf4fea
                                                                                                                                                  • Opcode Fuzzy Hash: 960aa0b820ccdfc7a5435108be07c7e420248008bc83b99ac4cc1403e94bca44
                                                                                                                                                  • Instruction Fuzzy Hash: E21129B19002499FCB10DFA9C944BDEFFF5EF48320F108429D559A7250C775A554CFA0
                                                                                                                                                  Function 076932E8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • OutputDebugStringW.KERNELBASE(00000000), ref: 07693360
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DebugOutputString
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1166629820-0
                                                                                                                                                  • Opcode ID: c7ea7f6e0694272226c530243af86f1d6beb978f50b6c9f9a32985ff7e3d5caf
                                                                                                                                                  • Instruction ID: 701520540a7183bbe81933569b9673dd892120a7731f4afdc74cd0accbb4f855
                                                                                                                                                  • Opcode Fuzzy Hash: c7ea7f6e0694272226c530243af86f1d6beb978f50b6c9f9a32985ff7e3d5caf
                                                                                                                                                  • Instruction Fuzzy Hash: F71100B5C0065ADFCB10CFAAD545B9EFBF4FB48720F10852AD819A3240C734A944CFA4
                                                                                                                                                  Function 076932F0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • OutputDebugStringW.KERNELBASE(00000000), ref: 07693360
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DebugOutputString
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1166629820-0
                                                                                                                                                  • Opcode ID: d02989a29cce0c81a5ca53d40ce276ded2ce8e096353920b53cbfd896ac4e7aa
                                                                                                                                                  • Instruction ID: c3530b594a37a71f543fa325f156fbd1c5310967b717597f96b716d3bc96d282
                                                                                                                                                  • Opcode Fuzzy Hash: d02989a29cce0c81a5ca53d40ce276ded2ce8e096353920b53cbfd896ac4e7aa
                                                                                                                                                  • Instruction Fuzzy Hash: 9011EFB1C0065ADBCB14DFAAD444A9EFBB8FB48720F10812AD819A7340C774AA44CFA5
                                                                                                                                                  Function 0769D258 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • ResumeThread.KERNELBASE(?), ref: 0769D2BA
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ResumeThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 947044025-0
                                                                                                                                                  • Opcode ID: 6babcde4ff89846a13a93a4f484d1331c1018b6c6f658362db66c4288162f684
                                                                                                                                                  • Instruction ID: fa2b6e6084668b4ed68fd7ba1dc86fb232a05f591de2456b004a9cdedd717189
                                                                                                                                                  • Opcode Fuzzy Hash: 6babcde4ff89846a13a93a4f484d1331c1018b6c6f658362db66c4288162f684
                                                                                                                                                  • Instruction Fuzzy Hash: D31128B19002498FCB20DFAAC5457DEFBF8EF88324F208429D559A7250C775A544CB94
                                                                                                                                                  Function 0EAF1F70 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • PostMessageW.USER32(?,?,?,?), ref: 0EAF1FD5
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1744618554.000000000EAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EAF0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_eaf0000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePost
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 410705778-0
                                                                                                                                                  • Opcode ID: 0fcdaa344c911de053f4b38e90f4f0f931b2ad29be018e9b0c8e79e5d8fd5c99
                                                                                                                                                  • Instruction ID: a97579d8bbd1dffe2a4dcb1f2b78c5ef493e08d7ed8bc350400356c8f022529e
                                                                                                                                                  • Opcode Fuzzy Hash: 0fcdaa344c911de053f4b38e90f4f0f931b2ad29be018e9b0c8e79e5d8fd5c99
                                                                                                                                                  • Instruction Fuzzy Hash: 091113B5800249CFCB20CF9AD884BDEFBF4EB48324F10851AE558A7240C375A984CFA1
                                                                                                                                                  Function 0118AF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0118AFDE
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735028574.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_1180000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                  • Opcode ID: 3e79ab7bd3ef6b621f7152ad019b8422b7ce5c956b2bc268d4be082b97a94874
                                                                                                                                                  • Instruction ID: 987551ac3c5bb140079b25916f081cc6425086335c68b5d544429c1feddec710
                                                                                                                                                  • Opcode Fuzzy Hash: 3e79ab7bd3ef6b621f7152ad019b8422b7ce5c956b2bc268d4be082b97a94874
                                                                                                                                                  • Instruction Fuzzy Hash: 9E110FB6C002498FDB24DF9AD444ADEFBF4AF88324F10C42AD528A7250C379A545CFA1
                                                                                                                                                  Function 0118AF73 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0118AFDE
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735028574.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_1180000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                  • Opcode ID: f36c750df80a9cc4fc7794cdc48612d1ca58e5c81101ea6714627bf14cc852ed
                                                                                                                                                  • Instruction ID: b221ea58cf90d5e78007be531ddb216f5e91565917e3fb074cc6c09f8ccaa4d9
                                                                                                                                                  • Opcode Fuzzy Hash: f36c750df80a9cc4fc7794cdc48612d1ca58e5c81101ea6714627bf14cc852ed
                                                                                                                                                  • Instruction Fuzzy Hash: 3C112DB6C002498FCB14DF9AD544BDEFBF4AF48214F10842AD568B7240C338A145CFA1
                                                                                                                                                  Function 0EAF1F78 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • PostMessageW.USER32(?,?,?,?), ref: 0EAF1FD5
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1744618554.000000000EAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EAF0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_eaf0000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePost
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 410705778-0
                                                                                                                                                  • Opcode ID: 98501368a09476e2a15c5a01a77f8442ebff642575339b01abb0fa8396e70c9f
                                                                                                                                                  • Instruction ID: 1e9616dbe3eef94c259241fe7a455d89802b1d2de2358e99a37fdd8f837d428a
                                                                                                                                                  • Opcode Fuzzy Hash: 98501368a09476e2a15c5a01a77f8442ebff642575339b01abb0fa8396e70c9f
                                                                                                                                                  • Instruction Fuzzy Hash: 5B11E2B5800349DFDB20DF9AC885BDEFBF8EB48324F10841AE558A7250C375A984CFA5
                                                                                                                                                  Function 0101D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1734505388.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_101d000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4c8386081679c99ae16f42c55707c8724191ea08807ba2550dd283b63939e22a
                                                                                                                                                  • Instruction ID: 8ed9d80da8ebbca21daa103bf874db4aa464ed577cc9c01647553c2714c85a36
                                                                                                                                                  • Opcode Fuzzy Hash: 4c8386081679c99ae16f42c55707c8724191ea08807ba2550dd283b63939e22a
                                                                                                                                                  • Instruction Fuzzy Hash: 58213771500240DFDB05DF58D9C8B2BBFA5FB88318F20C5A9E9890B25AC33AD456CBB1
                                                                                                                                                  Function 0102D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1734607997.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_102d000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6985ed0316c5262074a824ae0f811422613b747851f581df2df8c31d1116dd28
                                                                                                                                                  • Instruction ID: 4f9546dc4a9c2f555574826e1a168050e055659a45448c4b151a8598b828dd3f
                                                                                                                                                  • Opcode Fuzzy Hash: 6985ed0316c5262074a824ae0f811422613b747851f581df2df8c31d1116dd28
                                                                                                                                                  • Instruction Fuzzy Hash: B1212671504200EFDB05DF98D9C4B2ABBA5FB95324F20C6ADE9894B256C336D84ACB61
                                                                                                                                                  Function 0102D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1734607997.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_102d000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d4326babc918a14f032363b7badf74fcd80388d78f501b2fc436d37e18193ec8
                                                                                                                                                  • Instruction ID: 28463fe94c6c0558dd952abf70ac67a9f1ea58dea61babbffb73f4b212cccfe2
                                                                                                                                                  • Opcode Fuzzy Hash: d4326babc918a14f032363b7badf74fcd80388d78f501b2fc436d37e18193ec8
                                                                                                                                                  • Instruction Fuzzy Hash: D3213771504240DFCB15DF58D5C4B1ABFA5FB84314F20C5ADE9894B266C33AD847CB61
                                                                                                                                                  Function 0102D006 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1734607997.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_102d000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d9f234daf6c055008de09f27f99e814d018cf504a60405fa68bd718b4e6429a8
                                                                                                                                                  • Instruction ID: 8e2b50e1691db37b820489927d91b82c0f2c572b1238e7da0977d6e9df42892b
                                                                                                                                                  • Opcode Fuzzy Hash: d9f234daf6c055008de09f27f99e814d018cf504a60405fa68bd718b4e6429a8
                                                                                                                                                  • Instruction Fuzzy Hash: 042180755083809FCB13CF64D9D4711BFB1EB46214F28C5DAD8898F2A7C33A981ACB62
                                                                                                                                                  Function 0101D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1734505388.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_101d000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                  • Instruction ID: 3a7f5407a4a6e18fd73c49c90aa62aef2128554ee2a253fd4ff6d84d4c0ed22a
                                                                                                                                                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                  • Instruction Fuzzy Hash: D111D376504280CFDB16CF54D5C4B16BFB1FB84318F24C6A9D9490B65BC33AD45ACBA1
                                                                                                                                                  Function 0102D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1734607997.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_102d000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                  • Instruction ID: e4e0f9df3c8a00b82bd52114269cf2f221afef72f14cddbc214c8e6f70577fc8
                                                                                                                                                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                  • Instruction Fuzzy Hash: 7111BB75504280DFDB02CF54C5C4B15FFA1FB85224F24C6AAD8894B296C33AD80ACB61

                                                                                                                                                  Non-executed Functions

                                                                                                                                                  Function 0561D228 Relevance: .4, Instructions: 411COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1739437795.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_5610000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: da1ae64a680c281fedfc5143c7e5351be4259fc003eac874a791dc5ede49d3f7
                                                                                                                                                  • Instruction ID: d654ace19d02868a5882e253fe8a8074921367191ea1823fb9202f5adcdd894e
                                                                                                                                                  • Opcode Fuzzy Hash: da1ae64a680c281fedfc5143c7e5351be4259fc003eac874a791dc5ede49d3f7
                                                                                                                                                  • Instruction Fuzzy Hash: 66F10D71A006159FCB14CF69D584DADBBF6BF89350F1A8099E809EB361DB31EC81CB94
                                                                                                                                                  Function 07691740 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e4b375ce8e4ae86bead36a0ad0f9c385d7610f66037b5cb59d0bc7220a0bc121
                                                                                                                                                  • Instruction ID: 3cac72dd3d776200462342debe1ae4a66bd790d066fa342cdfafdca2592394c1
                                                                                                                                                  • Opcode Fuzzy Hash: e4b375ce8e4ae86bead36a0ad0f9c385d7610f66037b5cb59d0bc7220a0bc121
                                                                                                                                                  • Instruction Fuzzy Hash: C7E1B6B4E0025A8FCB14DFA9C5809AEFBB6FB89304F248169E415AB359D731AD41CF61
                                                                                                                                                  Function 0769D308 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 390d72131b8e7bd1402933edf77905c6427ca4e3834fa2d867500603ffbb1ec3
                                                                                                                                                  • Instruction ID: 462d5c459bd4c73027c18bfb9418b2c153e0e0392650283f9f96ff81a16b44d7
                                                                                                                                                  • Opcode Fuzzy Hash: 390d72131b8e7bd1402933edf77905c6427ca4e3834fa2d867500603ffbb1ec3
                                                                                                                                                  • Instruction Fuzzy Hash: 4BE1D7B4E005198FCB14DFA9C5809AEFBF6FF89304F248169E455AB35AD730A942CF60
                                                                                                                                                  Function 0769B228 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2fe0e9aecb3c77ec63c41e1544e776550358b9e102bbda05f7d7ed4e126d3df9
                                                                                                                                                  • Instruction ID: a385a79884c267e3bf647b9532a2c35f1796fb33080d949b0a32c903f23ed777
                                                                                                                                                  • Opcode Fuzzy Hash: 2fe0e9aecb3c77ec63c41e1544e776550358b9e102bbda05f7d7ed4e126d3df9
                                                                                                                                                  • Instruction Fuzzy Hash: 96E1D6B4E005198FCB14DFA9D5809AEFBB6FF89304F248169D419AB35AD731AD41CFA0
                                                                                                                                                  Function 07691280 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d24295c71eb562fe4fb0b404288504029fb33d62879f1ec8dbb9efbd0aa9bd12
                                                                                                                                                  • Instruction ID: bb9bee26775668e0888b6e96b3ea770556a53dd9a780c939ea4faac2c753cf0d
                                                                                                                                                  • Opcode Fuzzy Hash: d24295c71eb562fe4fb0b404288504029fb33d62879f1ec8dbb9efbd0aa9bd12
                                                                                                                                                  • Instruction Fuzzy Hash: 75E1C9B4E0021A8FCB14DFA9C5809AEFBF6FF89305F248169E415AB359D731A941CF61
                                                                                                                                                  Function 07691FF0 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c1daf3dc648963a92595d164700fda515c82125c762702137f8aa98baddd9250
                                                                                                                                                  • Instruction ID: 2ff87f6a68978fc019b62659d5fc76740fb6b603e6f0697bb06f1cc397885cf8
                                                                                                                                                  • Opcode Fuzzy Hash: c1daf3dc648963a92595d164700fda515c82125c762702137f8aa98baddd9250
                                                                                                                                                  • Instruction Fuzzy Hash: 0DE1E9B4E002199FCB14DFA9C9909AEFBF6FF89304F248169D415AB35AD730A941CF61
                                                                                                                                                  Function 07690E48 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 69fe158b4b88a1eac42ee98377c1597c08476949406de3d4f9e36373eb20073c
                                                                                                                                                  • Instruction ID: 4430140dd41013a22bcc5894910be26af151362102782a85343a9e82ae1d039c
                                                                                                                                                  • Opcode Fuzzy Hash: 69fe158b4b88a1eac42ee98377c1597c08476949406de3d4f9e36373eb20073c
                                                                                                                                                  • Instruction Fuzzy Hash: 8DE1C9B4E0025A8FCB14DFA9C5809AEFBF6FF89304F248169D415AB359D731A941CF61
                                                                                                                                                  Function 0769ADF0 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1b4d7ceb3bdbddc3bc13ff7716a1205a03cb00d190dd05eee5b1a821db9b7039
                                                                                                                                                  • Instruction ID: 3ff3744d35e0a0e163c4486268c9ff19143d9abe412be8502b489eabba2feef1
                                                                                                                                                  • Opcode Fuzzy Hash: 1b4d7ceb3bdbddc3bc13ff7716a1205a03cb00d190dd05eee5b1a821db9b7039
                                                                                                                                                  • Instruction Fuzzy Hash: BAE1D7B4E005198FCB14DFA9D5809AEFBF6FF89304F248169E415AB356D731A981CF60
                                                                                                                                                  Function 0769CA30 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 622fe0f87c8a4df3a43145296108a9fd0f5098f5ca4a3c32e4fa4828db3e4df0
                                                                                                                                                  • Instruction ID: be543949dfa502079728ea7563881e427a1c8f96cd51d77ea305740fef85cfd8
                                                                                                                                                  • Opcode Fuzzy Hash: 622fe0f87c8a4df3a43145296108a9fd0f5098f5ca4a3c32e4fa4828db3e4df0
                                                                                                                                                  • Instruction Fuzzy Hash: F2E1D7B4E001198FCB14DFA9C5809AEFBF6FF89304F248169E415AB35AD731A981CF60
                                                                                                                                                  Function 0769A9B8 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ccad78a76250b56cc1733889af08fac8e9b0e2c27dd4e1df7e4189174b30ad3a
                                                                                                                                                  • Instruction ID: 60f5d0ecf08e82b77319ca04d9a593bebca0a462b0a02cbfc3626b2aa468fdfd
                                                                                                                                                  • Opcode Fuzzy Hash: ccad78a76250b56cc1733889af08fac8e9b0e2c27dd4e1df7e4189174b30ad3a
                                                                                                                                                  • Instruction Fuzzy Hash: A5E1C6B4E001198BCB14DFA9C5809AEFBF6FF89305F24C169E415AB35AD731A941CFA0
                                                                                                                                                  Function 0118DC1C Relevance: .3, Instructions: 264COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735028574.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_1180000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 15a35d3fa79d70ae3c43f071870cf49b6332a827bd3abfd6e5c57ef4ebefc152
                                                                                                                                                  • Instruction ID: 8266c6ef526756d06fa2477d5d7a88c9441420f252553f468c195e27d1fbffb7
                                                                                                                                                  • Opcode Fuzzy Hash: 15a35d3fa79d70ae3c43f071870cf49b6332a827bd3abfd6e5c57ef4ebefc152
                                                                                                                                                  • Instruction Fuzzy Hash: 36A18332E003068FCF09EFB9D84059EBBB2FF94304B15856AE905AB255DB71E916CF80
                                                                                                                                                  Function 07691FA2 Relevance: .2, Instructions: 170COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f910c97429e2dc9cd12a362a4625495f36630ccd8d5006347b95c2f6f5a7284f
                                                                                                                                                  • Instruction ID: 49a52211ad19202a0ac0cb2f17645952b0f37d13131d890d6206a170a93c151e
                                                                                                                                                  • Opcode Fuzzy Hash: f910c97429e2dc9cd12a362a4625495f36630ccd8d5006347b95c2f6f5a7284f
                                                                                                                                                  • Instruction Fuzzy Hash: 73714DB4E002199FCF15CFA9D9805AEBBF6FF89300F2481AAD509AB355D7315A42CF61
                                                                                                                                                  Function 07694528 Relevance: .2, Instructions: 169COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3dc5c344f16294b205ed57f9b386567d53b2ba1be7cff75130704303e8c1e11c
                                                                                                                                                  • Instruction ID: eefd2e0ba5808801c0070e15cc39b452bf429fdffb3cadf0045e11bbee0e7d69
                                                                                                                                                  • Opcode Fuzzy Hash: 3dc5c344f16294b205ed57f9b386567d53b2ba1be7cff75130704303e8c1e11c
                                                                                                                                                  • Instruction Fuzzy Hash: F6717FB4E012598FCB04DFAAC58499EFBF6BF89310F14D16AE419AB315DB34A942CF50
                                                                                                                                                  Function 0769A985 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 234455aaaf3d08efe81018fa57cc9f99532302e5c76a57ddf345224e206135ea
                                                                                                                                                  • Instruction ID: 965d02d5f623af527adedda4fffbd044ed8bfe894ac224abffb16563d11e2479
                                                                                                                                                  • Opcode Fuzzy Hash: 234455aaaf3d08efe81018fa57cc9f99532302e5c76a57ddf345224e206135ea
                                                                                                                                                  • Instruction Fuzzy Hash: EB510AB1E042598FCB14CFA9C5805AEFBF6EF89304F24C1AAD459AB356D7305941CFA1
                                                                                                                                                  Function 07694290 Relevance: .1, Instructions: 140COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2af8db9d404e58c201a4aa8e604493b48170640a48e9fef0458c66fe2e0315b2
                                                                                                                                                  • Instruction ID: 951504ea9af6a16b48c710bd973aef880592592fac449357bc9c567a35e41c8d
                                                                                                                                                  • Opcode Fuzzy Hash: 2af8db9d404e58c201a4aa8e604493b48170640a48e9fef0458c66fe2e0315b2
                                                                                                                                                  • Instruction Fuzzy Hash: 6A5170B5D016199FDF08DFEAD9446EEFBB6BF89300F10802AE819AB254DB345906CF40
                                                                                                                                                  Function 07690E37 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7f41c03ce84715cd5a67459f116a8465313c71161deec0a4667ef5dab89e0cd6
                                                                                                                                                  • Instruction ID: 61508155c8daf3a45d1226dd8c736b24c8e4d22b8158f38e871a1b6f6cd9c78c
                                                                                                                                                  • Opcode Fuzzy Hash: 7f41c03ce84715cd5a67459f116a8465313c71161deec0a4667ef5dab89e0cd6
                                                                                                                                                  • Instruction Fuzzy Hash: 6C510DB5E0021A8BCF14DFA9C5805AEBBF6FF89304F24C16AD419A7356D731AA41CF61
                                                                                                                                                  Function 0769CA20 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4e79c921e9df506c23ac6a20f9deb8612790a4ee16376d0b9fe7e5d27ff1c274
                                                                                                                                                  • Instruction ID: 9ebd1dde6052a22802050ffc675b26c17c86550b4413fe3d749a2a51074f230c
                                                                                                                                                  • Opcode Fuzzy Hash: 4e79c921e9df506c23ac6a20f9deb8612790a4ee16376d0b9fe7e5d27ff1c274
                                                                                                                                                  • Instruction Fuzzy Hash: B2511CB5E002198FDB14DFA9C5805AEFBF6FF89300F24856AD419AB316D7319941CF60
                                                                                                                                                  Function 0769D2F8 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b0a86a05bd56b3bfc1aa05bcd7fb9efc6e418e6d679a0312853be3ca8314f331
                                                                                                                                                  • Instruction ID: c94f24ccbcfc40ad75c46a73bd6bf04c16ae5b7b1ce298f56e40fbc74d2f96f6
                                                                                                                                                  • Opcode Fuzzy Hash: b0a86a05bd56b3bfc1aa05bcd7fb9efc6e418e6d679a0312853be3ca8314f331
                                                                                                                                                  • Instruction Fuzzy Hash: E7511CB4E002198FDB14DFA9C5805AEFBF6FF89300F24856AD419AB355D730A942CF61
                                                                                                                                                  Function 07691272 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d18ea0281cea968374e729e5335ef499b8c85a61843ed2674d55ab721fac8389
                                                                                                                                                  • Instruction ID: 607cc32d9a3a77073a6bbc790ad1881e4ed80146e60b37d8f324648cfbf6de3e
                                                                                                                                                  • Opcode Fuzzy Hash: d18ea0281cea968374e729e5335ef499b8c85a61843ed2674d55ab721fac8389
                                                                                                                                                  • Instruction Fuzzy Hash: BA51F8B4E0061A8FDB14DFA9C5805AEBBF6FF89300F24C169D419AB356D731A942CF61
                                                                                                                                                  Function 0769ADE1 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6e8952f7805917e989c157f720af2a1c69002086e37e7612cd9f86da66708594
                                                                                                                                                  • Instruction ID: ea579d64594cbb8ca20edf83afa6daf247f98c5322465142bf40fddc29bf2686
                                                                                                                                                  • Opcode Fuzzy Hash: 6e8952f7805917e989c157f720af2a1c69002086e37e7612cd9f86da66708594
                                                                                                                                                  • Instruction Fuzzy Hash: 2F5109B4E006198FCB14CFA9C5805AEFBF6EF89304F24C16AD419AB356D731A941CF61
                                                                                                                                                  Function 07694518 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1cbc1ea41e2230f5ec9e73133afe33cd5597dedaaf01aff422c865afa972be9c
                                                                                                                                                  • Instruction ID: e973503bdcef9a92cd27e0ecb5df5cc9093e52d1cb18564b6ff7eb4f6633046b
                                                                                                                                                  • Opcode Fuzzy Hash: 1cbc1ea41e2230f5ec9e73133afe33cd5597dedaaf01aff422c865afa972be9c
                                                                                                                                                  • Instruction Fuzzy Hash: E65182B5E006598FDB08DFAAC98459EFBF6BF88300F14C06AE419AB354DB349946CF50
                                                                                                                                                  Function 07694282 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1741428469.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7690000_faktura proforma pdf.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9c00f32f8fd677850347e2b17bd86302f310b34553b1cb0a71f0e8b1e3e4b378
                                                                                                                                                  • Instruction ID: e50650fa5cb6f9a03927b42864d368276a0613d461b4ba606b2215e8036b78cc
                                                                                                                                                  • Opcode Fuzzy Hash: 9c00f32f8fd677850347e2b17bd86302f310b34553b1cb0a71f0e8b1e3e4b378
                                                                                                                                                  • Instruction Fuzzy Hash: 6941A2B5E006599FDB08CFAAC5446EEFBF6BF89300F14C02AD419AB254DB345946CF40

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:1.4%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:2.9%
                                                                                                                                                  Signature Coverage:1.4%
                                                                                                                                                  Total number of Nodes:554
                                                                                                                                                  Total number of Limit Nodes:67
                                                                                                                                                  execution_graph 97928 1502ad0 LdrInitializeThunk 97931 41f0e0 97934 41b940 97931->97934 97935 41b966 97934->97935 97942 409d40 97935->97942 97937 41b972 97941 41b993 97937->97941 97950 40c1c0 97937->97950 97939 41b985 97986 41a680 97939->97986 97989 409c90 97942->97989 97944 409d54 97944->97937 97945 409d4d 97945->97944 98001 409c30 97945->98001 97951 40c1e5 97950->97951 98410 40b1c0 97951->98410 97953 40c23c 98414 40ae40 97953->98414 97955 40c262 97985 40c4b3 97955->97985 98423 4143a0 97955->98423 97957 40c2a7 97957->97985 98426 408a60 97957->98426 97959 40c2eb 97959->97985 98433 41a4d0 97959->98433 97963 40c341 97964 40c348 97963->97964 98445 419fe0 97963->98445 97965 41bd90 2 API calls 97964->97965 97967 40c355 97965->97967 97967->97939 97969 40c392 97970 41bd90 2 API calls 97969->97970 97971 40c399 97970->97971 97971->97939 97972 40c3a2 97973 40f4a0 3 API calls 97972->97973 97974 40c416 97973->97974 97974->97964 97975 40c421 97974->97975 97976 41bd90 2 API calls 97975->97976 97977 40c445 97976->97977 98451 41a030 97977->98451 97980 419fe0 2 API calls 97981 40c480 97980->97981 97981->97985 98456 419df0 97981->98456 97984 41a680 2 API calls 97984->97985 97985->97939 97987 41af30 LdrLoadDll 97986->97987 97988 41a69f ExitProcess 97987->97988 97988->97941 97990 409ca3 97989->97990 98040 418b90 LdrLoadDll 97989->98040 98020 418a40 97990->98020 97993 409cb6 97993->97945 97994 409cac 97994->97993 98023 41b280 97994->98023 97996 409cf3 97996->97993 98034 409ab0 97996->98034 97998 409d13 98041 409620 LdrLoadDll 97998->98041 98000 409d25 98000->97945 98002 409c4a 98001->98002 98003 41b570 LdrLoadDll 98001->98003 98385 41b570 98002->98385 98003->98002 98006 41b570 LdrLoadDll 98007 409c71 98006->98007 98008 40f180 98007->98008 98009 40f199 98008->98009 98393 40b040 98009->98393 98011 40f1ac 98397 41a1b0 98011->98397 98014 409d65 98014->97937 98016 40f1d2 98017 40f1fd 98016->98017 98403 41a230 98016->98403 98019 41a460 2 API calls 98017->98019 98019->98014 98042 41a5d0 98020->98042 98024 41b299 98023->98024 98055 414a50 98024->98055 98026 41b2b1 98027 41b2ba 98026->98027 98094 41b0c0 98026->98094 98027->97996 98029 41b2ce 98029->98027 98112 419ed0 98029->98112 98363 407ea0 98034->98363 98036 409ad1 98036->97998 98037 409aca 98037->98036 98376 408160 98037->98376 98040->97990 98041->98000 98045 41af30 98042->98045 98044 418a55 98044->97994 98046 41af62 98045->98046 98047 41af40 98045->98047 98046->98044 98049 414e50 98047->98049 98050 414e6a 98049->98050 98051 414e5e 98049->98051 98050->98046 98051->98050 98054 4152d0 LdrLoadDll 98051->98054 98053 414fbc 98053->98046 98054->98053 98056 414d85 98055->98056 98057 414a64 98055->98057 98056->98026 98057->98056 98120 419c20 98057->98120 98060 414b90 98123 41a330 98060->98123 98061 414b73 98181 41a430 LdrLoadDll 98061->98181 98064 414bb7 98066 41bd90 2 API calls 98064->98066 98065 414b7d 98065->98026 98068 414bc3 98066->98068 98067 414d49 98070 41a460 2 API calls 98067->98070 98068->98065 98068->98067 98069 414d5f 98068->98069 98075 414c52 98068->98075 98190 414790 LdrLoadDll NtReadFile NtClose 98069->98190 98072 414d50 98070->98072 98072->98026 98073 414d72 98073->98026 98074 414cb9 98074->98067 98076 414ccc 98074->98076 98075->98074 98077 414c61 98075->98077 98183 41a2b0 98076->98183 98079 414c66 98077->98079 98080 414c7a 98077->98080 98182 414650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 98079->98182 98083 414c97 98080->98083 98084 414c7f 98080->98084 98083->98072 98139 414410 98083->98139 98127 4146f0 98084->98127 98086 414c70 98086->98026 98089 414d2c 98187 41a460 98089->98187 98090 414c8d 98090->98026 98091 414caf 98091->98026 98093 414d38 98093->98026 98095 41b0d1 98094->98095 98096 41b0e3 98095->98096 98208 41bd10 98095->98208 98096->98029 98098 41b104 98211 414070 98098->98211 98100 41b150 98100->98029 98101 41b127 98101->98100 98102 414070 3 API calls 98101->98102 98103 41b149 98102->98103 98103->98100 98236 415390 98103->98236 98105 41b1da 98107 41b1ea 98105->98107 98330 41aed0 LdrLoadDll 98105->98330 98246 41ad40 98107->98246 98109 41b218 98325 419e90 98109->98325 98113 41af30 LdrLoadDll 98112->98113 98114 419eec 98113->98114 98357 1502c0a 98114->98357 98115 419f07 98117 41bd90 98115->98117 98118 41b329 98117->98118 98360 41a640 98117->98360 98118->97996 98121 41af30 LdrLoadDll 98120->98121 98122 414b44 98121->98122 98122->98060 98122->98061 98122->98065 98124 41a346 98123->98124 98125 41af30 LdrLoadDll 98124->98125 98126 41a34c NtCreateFile 98125->98126 98126->98064 98128 41470c 98127->98128 98129 41a2b0 LdrLoadDll 98128->98129 98130 41472d 98129->98130 98131 414734 98130->98131 98132 414748 98130->98132 98133 41a460 2 API calls 98131->98133 98134 41a460 2 API calls 98132->98134 98135 41473d 98133->98135 98136 414751 98134->98136 98135->98090 98191 41bfa0 LdrLoadDll RtlAllocateHeap 98136->98191 98138 41475c 98138->98090 98140 41445b 98139->98140 98141 41448e 98139->98141 98142 41a2b0 LdrLoadDll 98140->98142 98143 4145d9 98141->98143 98147 4144aa 98141->98147 98144 414476 98142->98144 98145 41a2b0 LdrLoadDll 98143->98145 98146 41a460 2 API calls 98144->98146 98154 4145f4 98145->98154 98149 41447f 98146->98149 98148 41a2b0 LdrLoadDll 98147->98148 98150 4144c5 98148->98150 98149->98091 98152 4144e1 98150->98152 98153 4144cc 98150->98153 98157 4144e6 98152->98157 98158 4144fc 98152->98158 98156 41a460 2 API calls 98153->98156 98204 41a2f0 LdrLoadDll 98154->98204 98155 41462e 98159 41a460 2 API calls 98155->98159 98160 4144d5 98156->98160 98161 41a460 2 API calls 98157->98161 98166 414501 98158->98166 98192 41bf60 98158->98192 98162 414639 98159->98162 98160->98091 98163 4144ef 98161->98163 98162->98091 98163->98091 98168 414513 98166->98168 98195 41a3e0 98166->98195 98167 414567 98169 41457e 98167->98169 98203 41a270 LdrLoadDll 98167->98203 98168->98091 98171 414585 98169->98171 98172 41459a 98169->98172 98173 41a460 2 API calls 98171->98173 98174 41a460 2 API calls 98172->98174 98173->98168 98175 4145a3 98174->98175 98176 4145cf 98175->98176 98198 41bb60 98175->98198 98176->98091 98178 4145ba 98179 41bd90 2 API calls 98178->98179 98180 4145c3 98179->98180 98180->98091 98181->98065 98182->98086 98184 414d14 98183->98184 98185 41af30 LdrLoadDll 98183->98185 98186 41a2f0 LdrLoadDll 98184->98186 98185->98184 98186->98089 98188 41a47c NtClose 98187->98188 98189 41af30 LdrLoadDll 98187->98189 98188->98093 98189->98188 98190->98073 98191->98138 98194 41bf78 98192->98194 98205 41a600 98192->98205 98194->98166 98196 41a3fc NtReadFile 98195->98196 98197 41af30 LdrLoadDll 98195->98197 98196->98167 98197->98196 98199 41bb84 98198->98199 98200 41bb6d 98198->98200 98199->98178 98200->98199 98201 41bf60 2 API calls 98200->98201 98202 41bb9b 98201->98202 98202->98178 98203->98169 98204->98155 98206 41af30 LdrLoadDll 98205->98206 98207 41a61c RtlAllocateHeap 98206->98207 98207->98194 98209 41bd3d 98208->98209 98331 41a510 98208->98331 98209->98098 98212 414081 98211->98212 98213 414089 98211->98213 98212->98101 98235 41435c 98213->98235 98334 41cf00 98213->98334 98215 4140dd 98216 41cf00 2 API calls 98215->98216 98220 4140e8 98216->98220 98217 414136 98219 41cf00 2 API calls 98217->98219 98221 41414a 98219->98221 98220->98217 98339 41cfa0 98220->98339 98222 41cf00 2 API calls 98221->98222 98223 4141bd 98222->98223 98224 41cf00 2 API calls 98223->98224 98232 414205 98224->98232 98226 414334 98346 41cf60 LdrLoadDll RtlFreeHeap 98226->98346 98228 41433e 98347 41cf60 LdrLoadDll RtlFreeHeap 98228->98347 98230 414348 98348 41cf60 LdrLoadDll RtlFreeHeap 98230->98348 98345 41cf60 LdrLoadDll RtlFreeHeap 98232->98345 98233 414352 98349 41cf60 LdrLoadDll RtlFreeHeap 98233->98349 98235->98101 98237 4153a1 98236->98237 98238 414a50 8 API calls 98237->98238 98240 4153b7 98238->98240 98239 41540a 98239->98105 98240->98239 98241 4153f2 98240->98241 98242 415405 98240->98242 98243 41bd90 2 API calls 98241->98243 98244 41bd90 2 API calls 98242->98244 98245 4153f7 98243->98245 98244->98239 98245->98105 98350 41ac00 98246->98350 98248 41ad54 98249 41ac00 LdrLoadDll 98248->98249 98250 41ad5d 98249->98250 98251 41ac00 LdrLoadDll 98250->98251 98252 41ad66 98251->98252 98253 41ac00 LdrLoadDll 98252->98253 98254 41ad6f 98253->98254 98255 41ac00 LdrLoadDll 98254->98255 98256 41ad78 98255->98256 98257 41ac00 LdrLoadDll 98256->98257 98258 41ad81 98257->98258 98259 41ac00 LdrLoadDll 98258->98259 98260 41ad8d 98259->98260 98261 41ac00 LdrLoadDll 98260->98261 98262 41ad96 98261->98262 98263 41ac00 LdrLoadDll 98262->98263 98264 41ad9f 98263->98264 98265 41ac00 LdrLoadDll 98264->98265 98266 41ada8 98265->98266 98267 41ac00 LdrLoadDll 98266->98267 98268 41adb1 98267->98268 98269 41ac00 LdrLoadDll 98268->98269 98270 41adba 98269->98270 98271 41ac00 LdrLoadDll 98270->98271 98272 41adc6 98271->98272 98273 41ac00 LdrLoadDll 98272->98273 98274 41adcf 98273->98274 98275 41ac00 LdrLoadDll 98274->98275 98276 41add8 98275->98276 98277 41ac00 LdrLoadDll 98276->98277 98278 41ade1 98277->98278 98279 41ac00 LdrLoadDll 98278->98279 98280 41adea 98279->98280 98281 41ac00 LdrLoadDll 98280->98281 98282 41adf3 98281->98282 98283 41ac00 LdrLoadDll 98282->98283 98284 41adff 98283->98284 98285 41ac00 LdrLoadDll 98284->98285 98286 41ae08 98285->98286 98287 41ac00 LdrLoadDll 98286->98287 98288 41ae11 98287->98288 98289 41ac00 LdrLoadDll 98288->98289 98290 41ae1a 98289->98290 98291 41ac00 LdrLoadDll 98290->98291 98292 41ae23 98291->98292 98293 41ac00 LdrLoadDll 98292->98293 98294 41ae2c 98293->98294 98295 41ac00 LdrLoadDll 98294->98295 98296 41ae38 98295->98296 98297 41ac00 LdrLoadDll 98296->98297 98298 41ae41 98297->98298 98299 41ac00 LdrLoadDll 98298->98299 98300 41ae4a 98299->98300 98301 41ac00 LdrLoadDll 98300->98301 98302 41ae53 98301->98302 98303 41ac00 LdrLoadDll 98302->98303 98304 41ae5c 98303->98304 98305 41ac00 LdrLoadDll 98304->98305 98306 41ae65 98305->98306 98307 41ac00 LdrLoadDll 98306->98307 98308 41ae71 98307->98308 98309 41ac00 LdrLoadDll 98308->98309 98310 41ae7a 98309->98310 98311 41ac00 LdrLoadDll 98310->98311 98312 41ae83 98311->98312 98313 41ac00 LdrLoadDll 98312->98313 98314 41ae8c 98313->98314 98315 41ac00 LdrLoadDll 98314->98315 98316 41ae95 98315->98316 98317 41ac00 LdrLoadDll 98316->98317 98318 41ae9e 98317->98318 98319 41ac00 LdrLoadDll 98318->98319 98320 41aeaa 98319->98320 98321 41ac00 LdrLoadDll 98320->98321 98322 41aeb3 98321->98322 98323 41ac00 LdrLoadDll 98322->98323 98324 41aebc 98323->98324 98324->98109 98326 41af30 LdrLoadDll 98325->98326 98327 419eac 98326->98327 98356 1502df0 LdrInitializeThunk 98327->98356 98328 419ec3 98328->98029 98330->98107 98332 41a52c NtAllocateVirtualMemory 98331->98332 98333 41af30 LdrLoadDll 98331->98333 98332->98209 98333->98332 98335 41cf10 98334->98335 98336 41cf16 98334->98336 98335->98215 98337 41bf60 2 API calls 98336->98337 98338 41cf3c 98337->98338 98338->98215 98340 41cfc5 98339->98340 98342 41cffd 98339->98342 98341 41bf60 2 API calls 98340->98341 98343 41cfda 98341->98343 98342->98220 98344 41bd90 2 API calls 98343->98344 98344->98342 98345->98226 98346->98228 98347->98230 98348->98233 98349->98235 98351 41ac1b 98350->98351 98352 414e50 LdrLoadDll 98351->98352 98353 41ac3b 98352->98353 98354 414e50 LdrLoadDll 98353->98354 98355 41ace7 98353->98355 98354->98355 98355->98248 98355->98355 98356->98328 98358 1502c11 98357->98358 98359 1502c1f LdrInitializeThunk 98357->98359 98358->98115 98359->98115 98361 41af30 LdrLoadDll 98360->98361 98362 41a65c RtlFreeHeap 98361->98362 98362->98118 98364 407eb0 98363->98364 98365 407eab 98363->98365 98366 41bd10 2 API calls 98364->98366 98365->98037 98367 407ed5 98366->98367 98368 407f38 98367->98368 98369 419e90 2 API calls 98367->98369 98370 407f3e 98367->98370 98374 41bd10 2 API calls 98367->98374 98379 41a590 98367->98379 98368->98037 98369->98367 98372 407f64 98370->98372 98373 41a590 2 API calls 98370->98373 98372->98037 98375 407f55 98373->98375 98374->98367 98375->98037 98377 41a590 2 API calls 98376->98377 98378 40817e 98377->98378 98378->97998 98380 41af30 LdrLoadDll 98379->98380 98381 41a5ac 98380->98381 98384 1502c70 LdrInitializeThunk 98381->98384 98382 41a5c3 98382->98367 98384->98382 98386 41b593 98385->98386 98389 40acf0 98386->98389 98390 40ad14 98389->98390 98391 40ad50 LdrLoadDll 98390->98391 98392 409c5b 98390->98392 98391->98392 98392->98006 98394 40b063 98393->98394 98396 40b0e0 98394->98396 98408 419c60 LdrLoadDll 98394->98408 98396->98011 98398 41af30 LdrLoadDll 98397->98398 98399 40f1bb 98398->98399 98399->98014 98400 41a7a0 98399->98400 98401 41a7bf LookupPrivilegeValueW 98400->98401 98402 41af30 LdrLoadDll 98400->98402 98401->98016 98402->98401 98404 41af30 LdrLoadDll 98403->98404 98405 41a24c 98404->98405 98409 1502ea0 LdrInitializeThunk 98405->98409 98406 41a26b 98406->98017 98408->98396 98409->98406 98411 40b1f0 98410->98411 98412 40b040 LdrLoadDll 98411->98412 98413 40b204 98412->98413 98413->97953 98415 40ae51 98414->98415 98416 40ae4d 98414->98416 98417 40ae6a 98415->98417 98418 40ae9c 98415->98418 98416->97955 98461 419ca0 LdrLoadDll 98417->98461 98462 419ca0 LdrLoadDll 98418->98462 98420 40aead 98420->97955 98422 40ae8c 98422->97955 98424 40f4a0 3 API calls 98423->98424 98425 4143c6 98424->98425 98425->97957 98428 408a79 98426->98428 98463 4087a0 98426->98463 98429 4087a0 19 API calls 98428->98429 98432 408a9d 98428->98432 98430 408a8a 98429->98430 98430->98432 98481 40f710 10 API calls 98430->98481 98432->97959 98434 41af30 LdrLoadDll 98433->98434 98435 41a4ec 98434->98435 98600 1502e80 LdrInitializeThunk 98435->98600 98436 40c322 98438 40f4a0 98436->98438 98439 40f4bd 98438->98439 98601 419f90 98439->98601 98441 40f4fe 98442 40f505 98441->98442 98443 419fe0 2 API calls 98441->98443 98442->97963 98444 40f52e 98443->98444 98444->97963 98446 419fe6 98445->98446 98447 41af30 LdrLoadDll 98446->98447 98448 419ffc 98447->98448 98612 1502d10 LdrInitializeThunk 98448->98612 98449 40c385 98449->97969 98449->97972 98452 41af30 LdrLoadDll 98451->98452 98453 41a04c 98452->98453 98613 1502d30 LdrInitializeThunk 98453->98613 98454 40c459 98454->97980 98457 41af30 LdrLoadDll 98456->98457 98458 419e0c 98457->98458 98614 1502fb0 LdrInitializeThunk 98458->98614 98459 40c4ac 98459->97984 98461->98422 98462->98420 98464 407ea0 4 API calls 98463->98464 98478 4087ba 98463->98478 98464->98478 98465 408a49 98465->98428 98466 408a3f 98467 408160 2 API calls 98466->98467 98467->98465 98470 419ed0 2 API calls 98470->98478 98474 40c4c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 98474->98478 98477 419df0 2 API calls 98477->98478 98478->98465 98478->98466 98478->98470 98478->98474 98478->98477 98479 41a460 LdrLoadDll NtClose 98478->98479 98482 419ce0 98478->98482 98485 4085d0 98478->98485 98497 40f5f0 LdrLoadDll NtClose 98478->98497 98498 419d60 LdrLoadDll 98478->98498 98499 419d90 LdrLoadDll 98478->98499 98500 419e20 LdrLoadDll 98478->98500 98501 4083a0 98478->98501 98517 405f60 LdrLoadDll 98478->98517 98479->98478 98481->98432 98483 41af30 LdrLoadDll 98482->98483 98484 419cfc 98482->98484 98483->98484 98484->98478 98486 4085e6 98485->98486 98518 419850 98486->98518 98488 4085ff 98493 408771 98488->98493 98539 4081a0 98488->98539 98490 4086e5 98491 4083a0 11 API calls 98490->98491 98490->98493 98492 408713 98491->98492 98492->98493 98494 419ed0 2 API calls 98492->98494 98493->98478 98495 408748 98494->98495 98495->98493 98496 41a4d0 2 API calls 98495->98496 98496->98493 98497->98478 98498->98478 98499->98478 98500->98478 98502 4083c9 98501->98502 98579 408310 98502->98579 98505 41a4d0 2 API calls 98506 4083dc 98505->98506 98506->98505 98507 408467 98506->98507 98509 408462 98506->98509 98587 40f670 98506->98587 98507->98478 98508 41a460 2 API calls 98510 40849a 98508->98510 98509->98508 98510->98507 98511 419ce0 LdrLoadDll 98510->98511 98512 4084ff 98511->98512 98512->98507 98591 419d20 98512->98591 98514 408563 98514->98507 98515 414a50 8 API calls 98514->98515 98516 4085b8 98515->98516 98516->98478 98517->98478 98519 41bf60 2 API calls 98518->98519 98520 419867 98519->98520 98546 409310 98520->98546 98522 419882 98523 4198c0 98522->98523 98524 4198a9 98522->98524 98526 41bd10 2 API calls 98523->98526 98525 41bd90 2 API calls 98524->98525 98527 4198b6 98525->98527 98528 4198fa 98526->98528 98527->98488 98529 41bd10 2 API calls 98528->98529 98530 419913 98529->98530 98536 419bb4 98530->98536 98552 41bd50 98530->98552 98533 419ba0 98534 41bd90 2 API calls 98533->98534 98535 419baa 98534->98535 98535->98488 98537 41bd90 2 API calls 98536->98537 98538 419c09 98537->98538 98538->98488 98540 40829f 98539->98540 98542 4081b5 98539->98542 98540->98490 98541 414a50 8 API calls 98544 408222 98541->98544 98542->98540 98542->98541 98543 408249 98543->98490 98544->98543 98545 41bd90 2 API calls 98544->98545 98545->98543 98547 409335 98546->98547 98548 40acf0 LdrLoadDll 98547->98548 98549 409368 98548->98549 98551 40938d 98549->98551 98555 40cf20 98549->98555 98551->98522 98573 41a550 98552->98573 98556 40cf4c 98555->98556 98557 41a1b0 LdrLoadDll 98556->98557 98558 40cf65 98557->98558 98559 40cf6c 98558->98559 98566 41a1f0 98558->98566 98559->98551 98563 40cfa7 98564 41a460 2 API calls 98563->98564 98565 40cfca 98564->98565 98565->98551 98567 41a20c 98566->98567 98568 41af30 LdrLoadDll 98566->98568 98572 1502ca0 LdrInitializeThunk 98567->98572 98568->98567 98569 40cf8f 98569->98559 98571 41a7e0 LdrLoadDll 98569->98571 98571->98563 98572->98569 98574 41af30 LdrLoadDll 98573->98574 98575 41a56c 98574->98575 98578 1502f90 LdrInitializeThunk 98575->98578 98576 419b99 98576->98533 98576->98536 98578->98576 98580 408328 98579->98580 98581 40acf0 LdrLoadDll 98580->98581 98582 408343 98581->98582 98583 414e50 LdrLoadDll 98582->98583 98584 408353 98583->98584 98585 40835c PostThreadMessageW 98584->98585 98586 408370 98584->98586 98585->98586 98586->98506 98588 40f683 98587->98588 98594 419e60 98588->98594 98592 419d3c 98591->98592 98593 41af30 LdrLoadDll 98591->98593 98592->98514 98593->98592 98595 419e7c 98594->98595 98596 41af30 LdrLoadDll 98594->98596 98599 1502dd0 LdrInitializeThunk 98595->98599 98596->98595 98597 40f6ae 98597->98506 98599->98597 98600->98436 98602 419fac 98601->98602 98603 41af30 LdrLoadDll 98601->98603 98610 1502f30 LdrInitializeThunk 98602->98610 98603->98602 98604 419fcf 98604->98441 98605 41af30 LdrLoadDll 98604->98605 98606 419ffc 98605->98606 98611 1502d10 LdrInitializeThunk 98606->98611 98607 41a02b 98607->98441 98610->98604 98611->98607 98612->98449 98613->98454 98614->98459

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 0041A3DA Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38filenativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 0 41a3da-41a429 call 41af30 NtReadFile
                                                                                                                                                  APIs
                                                                                                                                                  • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FileRead
                                                                                                                                                  • String ID: 1JA$rMA$rMA
                                                                                                                                                  • API String ID: 2738559852-782607585
                                                                                                                                                  • Opcode ID: ac26e2eead842cf67d4cc4646b55e6db792ab7ec0130b0b1aebf9242eebc898f
                                                                                                                                                  • Instruction ID: 1621ec5d5615cfbbd2a7460557919eecc80803f6b914c945317f9110520505c4
                                                                                                                                                  • Opcode Fuzzy Hash: ac26e2eead842cf67d4cc4646b55e6db792ab7ec0130b0b1aebf9242eebc898f
                                                                                                                                                  • Instruction Fuzzy Hash: E1F0F4B2200118AFCB14CF99DC81EEB77A9EF8C354F158249BA1DD7241DA30E912CBA0
                                                                                                                                                  Function 0041A3E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 3 41a3e0-41a3f6 4 41a3fc-41a429 NtReadFile 3->4 5 41a3f7 call 41af30 3->5 5->4
                                                                                                                                                  APIs
                                                                                                                                                  • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FileRead
                                                                                                                                                  • String ID: 1JA$rMA$rMA
                                                                                                                                                  • API String ID: 2738559852-782607585
                                                                                                                                                  • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                  • Instruction ID: c75c44bd16ed9a046d03b4490adc68ebadf214b0f3589fd2ba36fb57c0fad8bd
                                                                                                                                                  • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                  • Instruction Fuzzy Hash: 95F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                                                                                                                                  Function 0041A2EB Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 204 41a2eb-41a2ef 205 41a2f1-41a329 call 41af30 204->205 206 41a346-41a381 call 41af30 NtCreateFile 204->206
                                                                                                                                                  APIs
                                                                                                                                                  • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                  • Opcode ID: fd6409369499a9aa7a69765ed3f4feb42ed0b969e52c3f9ae1d301d8893e82c0
                                                                                                                                                  • Instruction ID: aaf30276e27feee70eaf5ef818d2fb9516147c3f277a8e2d9c515ed336a7d524
                                                                                                                                                  • Opcode Fuzzy Hash: fd6409369499a9aa7a69765ed3f4feb42ed0b969e52c3f9ae1d301d8893e82c0
                                                                                                                                                  • Instruction Fuzzy Hash: 7211E5B2215108AFCB08DF98DC85DEB73ADAF8C314F108209FE1D97241D634E861CBA4
                                                                                                                                                  Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 242 40acf0-40ad19 call 41cc20 245 40ad1b-40ad1e 242->245 246 40ad1f-40ad2d call 41d040 242->246 249 40ad3d-40ad4e call 41b470 246->249 250 40ad2f-40ad3a call 41d2c0 246->250 255 40ad50-40ad64 LdrLoadDll 249->255 256 40ad67-40ad6a 249->256 250->249 255->256
                                                                                                                                                  APIs
                                                                                                                                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Load
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2234796835-0
                                                                                                                                                  • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                  • Instruction ID: 667dcf47c4413345b20473d406be44d3d8b7ebea9a3b2269cd40777f9644ce6e
                                                                                                                                                  • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                  • Instruction Fuzzy Hash: 79015EB5D0020DBBDB10EBA1DC42FDEB3799F54308F0045AAA908A7281F638EB54CB95
                                                                                                                                                  Function 0041A330 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 257 41a330-41a381 call 41af30 NtCreateFile
                                                                                                                                                  APIs
                                                                                                                                                  • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                  • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                  • Instruction ID: 7ed6e6cb708c972561b0f9910f559a39af1ab3cc862b6eef20835abd22e26781
                                                                                                                                                  • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                  • Instruction Fuzzy Hash: C4F0BDB2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E851CBA4
                                                                                                                                                  Function 0041A50C Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 261 41a50c-41a54d call 41af30 NtAllocateVirtualMemory
                                                                                                                                                  APIs
                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocateMemoryVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2167126740-0
                                                                                                                                                  • Opcode ID: f6a9656891865fe46833127451bc76cec07cece9d25c5ff69d0cd68c62593d4a
                                                                                                                                                  • Instruction ID: e2c8ed0ff941296fe227198e94f94f2569fe5c031e0d4c6c842169a83b461cf8
                                                                                                                                                  • Opcode Fuzzy Hash: f6a9656891865fe46833127451bc76cec07cece9d25c5ff69d0cd68c62593d4a
                                                                                                                                                  • Instruction Fuzzy Hash: 2DF015B2214109AFDB18DF89CC81EEB77ADAF88354F118249BA0C97245C630E911CBA0
                                                                                                                                                  Function 0041A510 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 264 41a510-41a526 265 41a52c-41a54d NtAllocateVirtualMemory 264->265 266 41a527 call 41af30 264->266 266->265
                                                                                                                                                  APIs
                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocateMemoryVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2167126740-0
                                                                                                                                                  • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                  • Instruction ID: 8b47746d7073478515a2f8fd1fb94e42dcc9ffa91ac9ff965dae3841ed3a313c
                                                                                                                                                  • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                  • Instruction Fuzzy Hash: 9CF015B2210208ABCB14DF89CC81EEB77ADAF88754F118149BE0897241C630F811CBA4
                                                                                                                                                  Function 0041A45A Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Close
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3535843008-0
                                                                                                                                                  • Opcode ID: aa5d259affc9c2a15dfae388f785dda8d20d4c05b7911eddf8cfd44673aa2e28
                                                                                                                                                  • Instruction ID: d1cf02db40167ec37705e0b9dfbb3c45d0b047f53a2925f5f8260eef5ce17965
                                                                                                                                                  • Opcode Fuzzy Hash: aa5d259affc9c2a15dfae388f785dda8d20d4c05b7911eddf8cfd44673aa2e28
                                                                                                                                                  • Instruction Fuzzy Hash: 41E08C76600214ABDB10EB94CC86F977768EF48760F014499BE186B342C530FA11CBD1
                                                                                                                                                  Function 0041A460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Close
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3535843008-0
                                                                                                                                                  • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                  • Instruction ID: e9450f8bec15428cdd91297f97b7848412804bda5c7d31b3f0e5b01193c95e83
                                                                                                                                                  • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                  • Instruction Fuzzy Hash: 3CD01776211214ABD710EB99CC85EE77BACEF48764F15449ABA189B242C530FA1186E0
                                                                                                                                                  Function 01502B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: f3b7861a92947e4f568979ea5502007efdf270d2ab4c3ff64c57e9d377933fd4
                                                                                                                                                  • Instruction ID: 0e53ccb2f9b95269dfd7b33d225970220be661f656a904cfa55b27325264fe53
                                                                                                                                                  • Opcode Fuzzy Hash: f3b7861a92947e4f568979ea5502007efdf270d2ab4c3ff64c57e9d377933fd4
                                                                                                                                                  • Instruction Fuzzy Hash: 4390026224240003511671584414616504AA7E1211F59C821E1014990DC66589916225
                                                                                                                                                  Function 01502BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 083d0bdaac0bba1d73c51797c79460a96a7101ddcc103e150e34fdd3bd42a0b7
                                                                                                                                                  • Instruction ID: 79460480edf1d6713fac85b846d63c2f74ef331259f8b784716ab5afd4b131d0
                                                                                                                                                  • Opcode Fuzzy Hash: 083d0bdaac0bba1d73c51797c79460a96a7101ddcc103e150e34fdd3bd42a0b7
                                                                                                                                                  • Instruction Fuzzy Hash: F490023224140803E1917158440464A1045A7D2311F99C815A0025A54DCB558B5977A1
                                                                                                                                                  Function 01502AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 9655f9a3584e81d05eb43816644222b2997cabbd71660a0cfd69481c11a1d00e
                                                                                                                                                  • Instruction ID: f21241614b2d1fd64657dbdfa22bed4bff675dfea90afe787ec7bad4f0da94f1
                                                                                                                                                  • Opcode Fuzzy Hash: 9655f9a3584e81d05eb43816644222b2997cabbd71660a0cfd69481c11a1d00e
                                                                                                                                                  • Instruction Fuzzy Hash: 9E900226251400031116B55807045071086A7D6361759C821F1015950CD76189615221
                                                                                                                                                  Function 01502D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: d73cc9ca4c4215d893323f22f0d6e99ade4164c43d49ad21ac26a8a2488f6170
                                                                                                                                                  • Instruction ID: bce544fe7f36b23b86852c20c8ccced1c20df5c7ba53a0b038bec47aa8508af5
                                                                                                                                                  • Opcode Fuzzy Hash: d73cc9ca4c4215d893323f22f0d6e99ade4164c43d49ad21ac26a8a2488f6170
                                                                                                                                                  • Instruction Fuzzy Hash: 5490022A25340003E1917158540860A1045A7D2212F99DC15A0015958CCA5589695321
                                                                                                                                                  Function 01502D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 7e44420f231a0a3b51dfcede20b00c33fb1aa28de0d567300d64699e2a115b77
                                                                                                                                                  • Instruction ID: d4ff5c1bea87e2ed5cbb3f0ba671f9ef94d58c760de8bf3c75e7976efa228446
                                                                                                                                                  • Opcode Fuzzy Hash: 7e44420f231a0a3b51dfcede20b00c33fb1aa28de0d567300d64699e2a115b77
                                                                                                                                                  • Instruction Fuzzy Hash: 5490022234140003E151715854186065045F7E2311F59D811E0414954CDA5589565322
                                                                                                                                                  Function 01502DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: c48cc163add165f6a39e8f8984c6b808491cac58adeb95d109afa196645db456
                                                                                                                                                  • Instruction ID: 5a8cec52115b72dedb5fef0888cacfffd9934e23dd5b90442e1603a00c5b79bb
                                                                                                                                                  • Opcode Fuzzy Hash: c48cc163add165f6a39e8f8984c6b808491cac58adeb95d109afa196645db456
                                                                                                                                                  • Instruction Fuzzy Hash: C8900222282441536556B15844045075046B7E1251B99C812A1414D50CC6669956D721
                                                                                                                                                  Function 01502DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 9cdb02021cdf32640a3aa87d2a18da57a16b523e375d435e986bc13b8103a6f7
                                                                                                                                                  • Instruction ID: 4d1113bce3d1771224296ddc037661e9a56e995259814eddc1e92957f7155f7f
                                                                                                                                                  • Opcode Fuzzy Hash: 9cdb02021cdf32640a3aa87d2a18da57a16b523e375d435e986bc13b8103a6f7
                                                                                                                                                  • Instruction Fuzzy Hash: 4490023224140413E122715845047071049A7D1251F99CC12A0424958DD7968A52A221
                                                                                                                                                  Function 01502C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 2b93cf5283c7e7cf24ce225ee034a4db42e0ac5425c81d38a93b334cc0a55f69
                                                                                                                                                  • Instruction ID: f155f255728c1ac15c94142ca699fc095d67ddac5dc78648c16fd9f39c2ca4b5
                                                                                                                                                  • Opcode Fuzzy Hash: 2b93cf5283c7e7cf24ce225ee034a4db42e0ac5425c81d38a93b334cc0a55f69
                                                                                                                                                  • Instruction Fuzzy Hash: 8290023224148803E1217158840474A1045A7D1311F5DCC11A4424A58DC7D589917221
                                                                                                                                                  Function 01502CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: e98565f8e38b1a2c11e18096b0bd059c3525d320a55766ee922575db1ea1f084
                                                                                                                                                  • Instruction ID: 242e3c77a783fa5c09f58f752c831cfe3b37a19bafa4d8575a0550a080ff3a16
                                                                                                                                                  • Opcode Fuzzy Hash: e98565f8e38b1a2c11e18096b0bd059c3525d320a55766ee922575db1ea1f084
                                                                                                                                                  • Instruction Fuzzy Hash: 7890023224140403E111759854086461045A7E1311F59D811A5024955EC7A589916231
                                                                                                                                                  Function 01502F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 1a8e54aff5829a1c121e22ef37a73d66791e0f56d8831d911ff1ee138901f61e
                                                                                                                                                  • Instruction ID: 0bbfd4c0a9f2d3824f68930c9b45c06932d4368e2868f26b93b248ac8c940205
                                                                                                                                                  • Opcode Fuzzy Hash: 1a8e54aff5829a1c121e22ef37a73d66791e0f56d8831d911ff1ee138901f61e
                                                                                                                                                  • Instruction Fuzzy Hash: 6F90026238140443E11171584414B061045E7E2311F59C815E1064954DC759CD526226
                                                                                                                                                  Function 01502FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 557a1f3320b4072590a7ec433d4c6b0e44a0ab9539c9378ed48dbcaff55ee17f
                                                                                                                                                  • Instruction ID: 99ce4d8b79bbda54b8684d465e6000b091d63f32bad804b501d9b8941708ed34
                                                                                                                                                  • Opcode Fuzzy Hash: 557a1f3320b4072590a7ec433d4c6b0e44a0ab9539c9378ed48dbcaff55ee17f
                                                                                                                                                  • Instruction Fuzzy Hash: 88900222251C0043E21175684C14B071045A7D1313F59C915A0154954CCA5589615621
                                                                                                                                                  Function 01502F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 7bbbae313671c673749ca1d2d400c080a0867a0874dcda045f8956e438df5abb
                                                                                                                                                  • Instruction ID: a9c0462d605de04663dfd4b6e101604d0da858cd227af725a45dd2709b30fc89
                                                                                                                                                  • Opcode Fuzzy Hash: 7bbbae313671c673749ca1d2d400c080a0867a0874dcda045f8956e438df5abb
                                                                                                                                                  • Instruction Fuzzy Hash: EC90023224180403E1117158481470B1045A7D1312F59C811A1164955DC76589516671
                                                                                                                                                  Function 01502FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 88ef1758f2d1cb2d5a256c78526a6ef5d60567188bf08d149e43305b5dd4ceec
                                                                                                                                                  • Instruction ID: 2e65bf5bf8c9aca503447f51792f0bd80f4401e717e946fd9e58f969fceb0c7f
                                                                                                                                                  • Opcode Fuzzy Hash: 88ef1758f2d1cb2d5a256c78526a6ef5d60567188bf08d149e43305b5dd4ceec
                                                                                                                                                  • Instruction Fuzzy Hash: 28900222641400435151716888449065045BBE2221B59C921A0998950DC69989655765
                                                                                                                                                  Function 01502E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: f7ce6dd23c0bf750b2dcee577f4907781e0df5833c3b2bda3791d5492a1f7240
                                                                                                                                                  • Instruction ID: c85c2b594452267390fa5b5836dbc60ab48df1d874bff21d947f428657a83259
                                                                                                                                                  • Opcode Fuzzy Hash: f7ce6dd23c0bf750b2dcee577f4907781e0df5833c3b2bda3791d5492a1f7240
                                                                                                                                                  • Instruction Fuzzy Hash: FE90022264140503E11271584404616104AA7D1251F99C822A1024955ECB658A92A231
                                                                                                                                                  Function 01502EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: b4c7a9d81c81531727802ba8e80cb2d2c703ffc29e35426eca9a4ad5bb09a79d
                                                                                                                                                  • Instruction ID: a89b6111584f4d9299371caa47fdac24fb21337486f857fd890625fecea7cf16
                                                                                                                                                  • Opcode Fuzzy Hash: b4c7a9d81c81531727802ba8e80cb2d2c703ffc29e35426eca9a4ad5bb09a79d
                                                                                                                                                  • Instruction Fuzzy Hash: 4890027224140403E151715844047461045A7D1311F59C811A5064954EC7998ED56765
                                                                                                                                                  Function 00409AB0 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
                                                                                                                                                  • Instruction ID: 0cf1d1cfbff413d406b9f50454d57ab941c4b3e8ec75440de5a7d7d7e128ebbb
                                                                                                                                                  • Opcode Fuzzy Hash: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
                                                                                                                                                  • Instruction Fuzzy Hash: 24210AB2D4020857CB25D664AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                                                                                                                                  Function 0041A600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 6 41a600-41a631 call 41af30 RtlAllocateHeap
                                                                                                                                                  APIs
                                                                                                                                                  • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A62D
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                  • String ID: 6EA
                                                                                                                                                  • API String ID: 1279760036-1400015478
                                                                                                                                                  • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                  • Instruction ID: 226561cf9c8a986873ffc081809f26ad69fcc4b20f94c9d7be20fabd3b8eb7db
                                                                                                                                                  • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                  • Instruction Fuzzy Hash: 24E012B1211208ABDB14EF99CC41EA777ACAF88664F118559BA085B242C630F911CAB0
                                                                                                                                                  Function 0040830A Relevance: 1.6, APIs: 1, Instructions: 56threadwindowCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 212 40830a-40835a call 41be30 call 41c9d0 call 40acf0 call 414e50 221 40835c-40836e PostThreadMessageW 212->221 222 40838e-408392 212->222 223 408370-40838a call 40a480 221->223 224 40838d 221->224 223->224 224->222
                                                                                                                                                  APIs
                                                                                                                                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePostThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1836367815-0
                                                                                                                                                  • Opcode ID: 21489f4fcbbea4f2ed5729be1759cc407b639bf3a27e4ff756f5d65fe6ecdfd2
                                                                                                                                                  • Instruction ID: 16702e0c4cae5f4026594a61028452be54daae5ed4e574d5dd7321583c1b3909
                                                                                                                                                  • Opcode Fuzzy Hash: 21489f4fcbbea4f2ed5729be1759cc407b639bf3a27e4ff756f5d65fe6ecdfd2
                                                                                                                                                  • Instruction Fuzzy Hash: F701D471A8032876EB20A6959D43FFF662C6B40F54F04011AFF04BA1C1EAA8690542EA
                                                                                                                                                  Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 227 408310-40831f 228 408328-40835a call 41c9d0 call 40acf0 call 414e50 227->228 229 408323 call 41be30 227->229 236 40835c-40836e PostThreadMessageW 228->236 237 40838e-408392 228->237 229->228 238 408370-40838a call 40a480 236->238 239 40838d 236->239 238->239 239->237
                                                                                                                                                  APIs
                                                                                                                                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePostThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1836367815-0
                                                                                                                                                  • Opcode ID: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
                                                                                                                                                  • Instruction ID: 43d593e10ad008c4695c17d6314bf6f3e92d4c432431edd93db89b762a987e15
                                                                                                                                                  • Opcode Fuzzy Hash: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
                                                                                                                                                  • Instruction Fuzzy Hash: E2018471A8032877E720A6959D43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                                                                                                                                  Function 0041A791 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 267 41a791-41a7ba call 41af30 269 41a7bf-41a7d4 LookupPrivilegeValueW 267->269
                                                                                                                                                  APIs
                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3899507212-0
                                                                                                                                                  • Opcode ID: d18b06376d92290a7ce6ff3d5cae0bcf8af0067e4a042392a0254597a70a9d32
                                                                                                                                                  • Instruction ID: 53dab32d381e36188fbd20dccb3ce4fa8fcf3a9c7b20cf3d54a23631b2efd5b0
                                                                                                                                                  • Opcode Fuzzy Hash: d18b06376d92290a7ce6ff3d5cae0bcf8af0067e4a042392a0254597a70a9d32
                                                                                                                                                  • Instruction Fuzzy Hash: 6CF0A0B52042506BDB14EB65EC89E977F68DF45264B24829EFC991B106C534A406CBB1
                                                                                                                                                  Function 0041A632 Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 270 41a632-41a656 271 41a65c-41a671 RtlFreeHeap 270->271 272 41a657 call 41af30 270->272 272->271
                                                                                                                                                  APIs
                                                                                                                                                  • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3298025750-0
                                                                                                                                                  • Opcode ID: b0220c7f639f53d61aa9cf495588a17710a80ea40037480b153ee62d8d3a0875
                                                                                                                                                  • Instruction ID: 6d89a9ab60c7953abde1c38c8a765e069c22664124191efddfd3e76a9ac12e33
                                                                                                                                                  • Opcode Fuzzy Hash: b0220c7f639f53d61aa9cf495588a17710a80ea40037480b153ee62d8d3a0875
                                                                                                                                                  • Instruction Fuzzy Hash: 80E0EDB22142046BDB24DF64CC4AEE737A8EF48364F104259F89897241C130E811CBA0
                                                                                                                                                  Function 0041A640 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 273 41a640-41a671 call 41af30 RtlFreeHeap
                                                                                                                                                  APIs
                                                                                                                                                  • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3298025750-0
                                                                                                                                                  • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                  • Instruction ID: 3f65de21c9b51a2b7742007d51c6b1fad19b07b0b1b2c98d2bb582ee848745b4
                                                                                                                                                  • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                  • Instruction Fuzzy Hash: 1EE046B1210208ABDB18EF99CC49EE777ACEF88764F018559FE085B242C630F911CAF0
                                                                                                                                                  Function 0041A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3899507212-0
                                                                                                                                                  • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                  • Instruction ID: a195d06a74d451d332e2306e76e7c3aa502b90bd3f16d73f11471c4c6d802808
                                                                                                                                                  • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                  • Instruction Fuzzy Hash: 2FE01AB12102086BDB10DF49CC85EE737ADAF88654F018155BA0857241C934E8118BF5
                                                                                                                                                  Function 0041A680 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ExitProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 621844428-0
                                                                                                                                                  • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                  • Instruction ID: 026b6f0270740822b369349059f6971daea101c61a9fac8a7aff4918670f7806
                                                                                                                                                  • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                  • Instruction Fuzzy Hash: C1D017726112187BD620EB99CC85FD777ACDF487A4F0180AABA1C6B242C531BA11CAE1
                                                                                                                                                  Function 01502C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: f6ec881b01b1842f8f1ed33c8324acb250184cc8354fb01f0842be893a266cc9
                                                                                                                                                  • Instruction ID: 8d746ae80a627ed05325f729a8bd68331a25bfe576be3d71b4c243215d3a4fa0
                                                                                                                                                  • Opcode Fuzzy Hash: f6ec881b01b1842f8f1ed33c8324acb250184cc8354fb01f0842be893a266cc9
                                                                                                                                                  • Instruction Fuzzy Hash: D3B09B729415C5D6EA13E7A4460C71B794077D1711F1DC465D2030A85F8778C1D1E275

                                                                                                                                                  Non-executed Functions

                                                                                                                                                  Function 01542349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                                                                                  • API String ID: 0-2160512332
                                                                                                                                                  • Opcode ID: 02fa643d028919ca3ab89d3858cb38a90254162c6b0bc2d1ca4bc254805f73b3
                                                                                                                                                  • Instruction ID: febb774749692a94c5a525f3c859bf70b4339a61d00207f93c8e12819c5c23ee
                                                                                                                                                  • Opcode Fuzzy Hash: 02fa643d028919ca3ab89d3858cb38a90254162c6b0bc2d1ca4bc254805f73b3
                                                                                                                                                  • Instruction Fuzzy Hash: 7792A071608352AFE725DF19C880B6BBBE8BF94758F04491DFA94DB260D770E844CB92
                                                                                                                                                  Function 014F8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • double initialized or corrupted critical section, xrefs: 01535508
                                                                                                                                                  • Thread identifier, xrefs: 0153553A
                                                                                                                                                  • corrupted critical section, xrefs: 015354C2
                                                                                                                                                  • Thread is in a state in which it cannot own a critical section, xrefs: 01535543
                                                                                                                                                  • 8, xrefs: 015352E3
                                                                                                                                                  • Invalid debug info address of this critical section, xrefs: 015354B6
                                                                                                                                                  • Critical section address., xrefs: 01535502
                                                                                                                                                  • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015354E2
                                                                                                                                                  • undeleted critical section in freed memory, xrefs: 0153542B
                                                                                                                                                  • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0153540A, 01535496, 01535519
                                                                                                                                                  • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015354CE
                                                                                                                                                  • Critical section debug info address, xrefs: 0153541F, 0153552E
                                                                                                                                                  • Critical section address, xrefs: 01535425, 015354BC, 01535534
                                                                                                                                                  • Address of the debug info found in the active list., xrefs: 015354AE, 015354FA
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                                                                  • API String ID: 0-2368682639
                                                                                                                                                  • Opcode ID: c2d5732d283306c824bc5c8d7927f6da8c872551640f095e9892b902643b8c13
                                                                                                                                                  • Instruction ID: 974de87870f02da5efd38b2eeb5b30f80516d7dd4c3de4eb3f815922e0b34ecc
                                                                                                                                                  • Opcode Fuzzy Hash: c2d5732d283306c824bc5c8d7927f6da8c872551640f095e9892b902643b8c13
                                                                                                                                                  • Instruction Fuzzy Hash: FA81A1B0A40349AFDB20CF99C844BAEBBF5FB58704F61411EF505BB290E375A945CB50
                                                                                                                                                  Function 014F29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01532506
                                                                                                                                                  • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01532498
                                                                                                                                                  • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01532624
                                                                                                                                                  • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01532412
                                                                                                                                                  • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01532602
                                                                                                                                                  • RtlpResolveAssemblyStorageMapEntry, xrefs: 0153261F
                                                                                                                                                  • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 015322E4
                                                                                                                                                  • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 015324C0
                                                                                                                                                  • @, xrefs: 0153259B
                                                                                                                                                  • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01532409
                                                                                                                                                  • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 015325EB
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                                                                                  • API String ID: 0-4009184096
                                                                                                                                                  • Opcode ID: b540691dd16ff598c1d3639fda632fdbdae2220055e406729d5f6d70463f1d15
                                                                                                                                                  • Instruction ID: 14d71215669331258b5916612ba0450ac61c27ed52914fad204a6c21e59c949a
                                                                                                                                                  • Opcode Fuzzy Hash: b540691dd16ff598c1d3639fda632fdbdae2220055e406729d5f6d70463f1d15
                                                                                                                                                  • Instruction Fuzzy Hash: 29027FB1D006299BDB31DB58CC80B9EB7B8BF54304F4041DEA749AB251DB71AE84CF69
                                                                                                                                                  Function 01568B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                                                                                  • API String ID: 0-2515994595
                                                                                                                                                  • Opcode ID: 303f7017e848f5c3ec7a42ff56a78ed44e458c60fe8caecf1feb611c4b20d953
                                                                                                                                                  • Instruction ID: ba70a6204229f608d1811be649dcdbbc9a8de62a0e2822d22be83fea4379a843
                                                                                                                                                  • Opcode Fuzzy Hash: 303f7017e848f5c3ec7a42ff56a78ed44e458c60fe8caecf1feb611c4b20d953
                                                                                                                                                  • Instruction Fuzzy Hash: 9151D1715143019BD725DF19C844BABBBECFFA8244F14491EEA99CB294E770E504CBE2
                                                                                                                                                  Function 01570274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                                                                                  • API String ID: 0-1700792311
                                                                                                                                                  • Opcode ID: 6a25bbb7cecba6d5ad7e520a5a2d00cd8d37238de17ae0407717be7ee243e523
                                                                                                                                                  • Instruction ID: 8f0861213ca9feffc574abdd2d0984e694cdc81052c0d9c3c912f951bd7ccc58
                                                                                                                                                  • Opcode Fuzzy Hash: 6a25bbb7cecba6d5ad7e520a5a2d00cd8d37238de17ae0407717be7ee243e523
                                                                                                                                                  • Instruction Fuzzy Hash: 84D1DF31500686DFDB22DF69E492AADBBF1FF5A710F18805AF4459F2A2C734D945CB20
                                                                                                                                                  Function 015489B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • VerifierDebug, xrefs: 01548CA5
                                                                                                                                                  • HandleTraces, xrefs: 01548C8F
                                                                                                                                                  • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01548A3D
                                                                                                                                                  • VerifierDlls, xrefs: 01548CBD
                                                                                                                                                  • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01548A67
                                                                                                                                                  • AVRF: -*- final list of providers -*- , xrefs: 01548B8F
                                                                                                                                                  • VerifierFlags, xrefs: 01548C50
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                                                                                  • API String ID: 0-3223716464
                                                                                                                                                  • Opcode ID: d33a8d536ba4a19055eb356941c021033c19f9704f545979bd6591bf3620b6cd
                                                                                                                                                  • Instruction ID: a7e82dd429723cfadbdb6f0bf388133c4d48af9ffbceea17015d796653ac06c5
                                                                                                                                                  • Opcode Fuzzy Hash: d33a8d536ba4a19055eb356941c021033c19f9704f545979bd6591bf3620b6cd
                                                                                                                                                  • Instruction Fuzzy Hash: 12910471A463029FD726DFA9C8C0B5AB7E8BBA4B1CF4A095DFA406F250D7709804CB95
                                                                                                                                                  Function 014CEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                                                                                                  • API String ID: 0-1109411897
                                                                                                                                                  • Opcode ID: 1ece68c37cac149ab4d7d34bcb2071a4f67a79d07b25de1df5ecffeec9685615
                                                                                                                                                  • Instruction ID: 7c8c1f44d347ebfd0190ca43f0bd06730235665559de5719c324382d3c128e28
                                                                                                                                                  • Opcode Fuzzy Hash: 1ece68c37cac149ab4d7d34bcb2071a4f67a79d07b25de1df5ecffeec9685615
                                                                                                                                                  • Instruction Fuzzy Hash: 05A25A75A0562A8BDB64CF18C8887ADBBB1BF45704F1442EED50DAB3A0DB349E85CF40
                                                                                                                                                  Function 014F63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                                                                  • API String ID: 0-792281065
                                                                                                                                                  • Opcode ID: 1f5a5f8fc125c4d16d1684b420c1271ce4b219b4cab3177616580f3d299a453b
                                                                                                                                                  • Instruction ID: e29974e6b7042d733f1130023abdf2e24fd71df48fe459f3dcf6c44faee3b6d2
                                                                                                                                                  • Opcode Fuzzy Hash: 1f5a5f8fc125c4d16d1684b420c1271ce4b219b4cab3177616580f3d299a453b
                                                                                                                                                  • Instruction Fuzzy Hash: A1914A30B007129BEB35DF58D885BAE7BA1FB90B14F56012EEA107F3A1D7B49802D794
                                                                                                                                                  Function 014B645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01519A01
                                                                                                                                                  • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 015199ED
                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 01519A11, 01519A3A
                                                                                                                                                  • apphelp.dll, xrefs: 014B6496
                                                                                                                                                  • LdrpInitShimEngine, xrefs: 015199F4, 01519A07, 01519A30
                                                                                                                                                  • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01519A2A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                  • API String ID: 0-204845295
                                                                                                                                                  • Opcode ID: 532703242cee2f2ae062668bbc145649fa629da1c361b86630f90ddfe9add4ee
                                                                                                                                                  • Instruction ID: 360b0fae0babbaf9f7cba18d96bdcf4750a30d5c2deb40bb520fb4361c5d5bf3
                                                                                                                                                  • Opcode Fuzzy Hash: 532703242cee2f2ae062668bbc145649fa629da1c361b86630f90ddfe9add4ee
                                                                                                                                                  • Instruction Fuzzy Hash: 8F5134722083009FE721DF24D891FAB77E8FB94648F41091EF5959B1B4D770E908CBA2
                                                                                                                                                  Function 014F2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • SXS: %s() passed the empty activation context, xrefs: 01532165
                                                                                                                                                  • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0153219F
                                                                                                                                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 015321BF
                                                                                                                                                  • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01532180
                                                                                                                                                  • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01532178
                                                                                                                                                  • RtlGetAssemblyStorageRoot, xrefs: 01532160, 0153219A, 015321BA
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                                                                  • API String ID: 0-861424205
                                                                                                                                                  • Opcode ID: 3f5b443e21b542cfa33aa8c9d8c304856cfcbd7cf22b4640a0ef1ff02a3ebda7
                                                                                                                                                  • Instruction ID: 3ab5efbe12cbc64aff603f8e93233523e5c2ac90d312d5f072cf2832445efd3f
                                                                                                                                                  • Opcode Fuzzy Hash: 3f5b443e21b542cfa33aa8c9d8c304856cfcbd7cf22b4640a0ef1ff02a3ebda7
                                                                                                                                                  • Instruction Fuzzy Hash: 6131E736B4121577F7218A9A8C41F5B7BA8EBE5A50F15405FFB04AB361D3B0DE01C6A1
                                                                                                                                                  Function 014FC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • LdrpInitializeImportRedirection, xrefs: 01538177, 015381EB
                                                                                                                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 01538181, 015381F5
                                                                                                                                                  • Unable to build import redirection Table, Status = 0x%x, xrefs: 015381E5
                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 014FC6C3
                                                                                                                                                  • LdrpInitializeProcess, xrefs: 014FC6C4
                                                                                                                                                  • Loading import redirection DLL: '%wZ', xrefs: 01538170
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                                                                  • API String ID: 0-475462383
                                                                                                                                                  • Opcode ID: 78d1933b919c3ba48321f84f22805e1abfd3999624815b45d122e199e392fb28
                                                                                                                                                  • Instruction ID: d5ac7105cf20097339779ed9b45704d4f480282bff3acbfc194425d935bd0d75
                                                                                                                                                  • Opcode Fuzzy Hash: 78d1933b919c3ba48321f84f22805e1abfd3999624815b45d122e199e392fb28
                                                                                                                                                  • Instruction Fuzzy Hash: 3531F3716443069BD224EE29D886E2AB7D5FFE4B10F05061DF9846B3A1E670EC04C7A2
                                                                                                                                                  Function 0150096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 01502DF0: LdrInitializeThunk.NTDLL ref: 01502DFA
                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01500BA3
                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01500BB6
                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01500D60
                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01500D74
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1404860816-0
                                                                                                                                                  • Opcode ID: f55ed27156c2a0f55b2b21d335e285d6cb9ef753e566bc6cc9fa185de1999de7
                                                                                                                                                  • Instruction ID: e1f774478e547c6c52af6320e22cc0a34eb09944adc0888696f0b6109cab4f14
                                                                                                                                                  • Opcode Fuzzy Hash: f55ed27156c2a0f55b2b21d335e285d6cb9ef753e566bc6cc9fa185de1999de7
                                                                                                                                                  • Instruction Fuzzy Hash: 6C425DB2900715DFDB21CF68C881BAAB7F4BF44314F1445A9E989EF281D770AA85CF61
                                                                                                                                                  Function 014CA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                                                                  • API String ID: 0-379654539
                                                                                                                                                  • Opcode ID: 93dcc1036e8ff5a40b9142c3cfffce988284515d1a8a7b912db9cffbfd9ccbab
                                                                                                                                                  • Instruction ID: 7a5e3f715b9999f7a9e81c0883cea9446adbe25bc7803f76358f7770f1b473ae
                                                                                                                                                  • Opcode Fuzzy Hash: 93dcc1036e8ff5a40b9142c3cfffce988284515d1a8a7b912db9cffbfd9ccbab
                                                                                                                                                  • Instruction Fuzzy Hash: 6FC1CD7920838ACFD751CF58C144B6AB7E4BF94B04F10896EF9869B3A0E734C946CB56
                                                                                                                                                  Function 014F8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • @, xrefs: 014F8591
                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 014F8421
                                                                                                                                                  • LdrpInitializeProcess, xrefs: 014F8422
                                                                                                                                                  • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 014F855E
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                                                                  • API String ID: 0-1918872054
                                                                                                                                                  • Opcode ID: 9df8565519f22a9e87becca05f77efc81eb64224815259d93457525d64ef3f61
                                                                                                                                                  • Instruction ID: 1e9f5d2fe5a3e69a200aa7397ddee2938cb0cb3f81ae9146c2a08fad9f163876
                                                                                                                                                  • Opcode Fuzzy Hash: 9df8565519f22a9e87becca05f77efc81eb64224815259d93457525d64ef3f61
                                                                                                                                                  • Instruction Fuzzy Hash: A8919271518346AFDB22EF65CC44F6BBBE8BF94754F40092EF6849A261E334D904CB62
                                                                                                                                                  Function 014F273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • SXS: %s() passed the empty activation context, xrefs: 015321DE
                                                                                                                                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 015322B6
                                                                                                                                                  • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 015321D9, 015322B1
                                                                                                                                                  • .Local, xrefs: 014F28D8
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                                                                                  • API String ID: 0-1239276146
                                                                                                                                                  • Opcode ID: acf300e23be5e3b3e1264dbb627612dc712842ba26e12f8695f9bd91d9b1d236
                                                                                                                                                  • Instruction ID: fe89d7de7ac1057577f874df05e6878a7d3b212b15992d07d21c559bbec35b13
                                                                                                                                                  • Opcode Fuzzy Hash: acf300e23be5e3b3e1264dbb627612dc712842ba26e12f8695f9bd91d9b1d236
                                                                                                                                                  • Instruction Fuzzy Hash: 20A17E31A012299BDB25CF59CC84F9AB7B5BB58314F1541EEDA08AB361D770DE81CF90
                                                                                                                                                  Function 014F4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01533456
                                                                                                                                                  • RtlDeactivateActivationContext, xrefs: 01533425, 01533432, 01533451
                                                                                                                                                  • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01533437
                                                                                                                                                  • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0153342A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                                                                                                  • API String ID: 0-1245972979
                                                                                                                                                  • Opcode ID: ca343511b51754a5e0d6f6cc7e559df20866a8e0e96a5e22328203f483017f9e
                                                                                                                                                  • Instruction ID: 437b538ddf800e18efa10560ca929ad8174fd98672c558c369aa872fe93acf63
                                                                                                                                                  • Opcode Fuzzy Hash: ca343511b51754a5e0d6f6cc7e559df20866a8e0e96a5e22328203f483017f9e
                                                                                                                                                  • Instruction Fuzzy Hash: 1D61F1366007129BD722CF1DC885B2BB7E5BF90B60F59852EEA559F361DB30E801CB91
                                                                                                                                                  Function 014C64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0152106B
                                                                                                                                                  • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 015210AE
                                                                                                                                                  • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01521028
                                                                                                                                                  • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01520FE5
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                                                                  • API String ID: 0-1468400865
                                                                                                                                                  • Opcode ID: 2333356109ddd8480d528e2e80766c9a0c06c76079acce035bcdce7c45d97a25
                                                                                                                                                  • Instruction ID: 74e14f16339761e042c8208859b3e2b2afc47a2b1fec3fb9dcb2a6f88ef19a41
                                                                                                                                                  • Opcode Fuzzy Hash: 2333356109ddd8480d528e2e80766c9a0c06c76079acce035bcdce7c45d97a25
                                                                                                                                                  • Instruction Fuzzy Hash: E771DF759043069FCB61DF18C884F9B7BA8AFA5B54F10446AF9488F29AD334D189CBD1
                                                                                                                                                  Function 014E245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • LdrpDynamicShimModule, xrefs: 0152A998
                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 0152A9A2
                                                                                                                                                  • apphelp.dll, xrefs: 014E2462
                                                                                                                                                  • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0152A992
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                  • API String ID: 0-176724104
                                                                                                                                                  • Opcode ID: 0865c5684faba8a8c472d1daae6c5f212d439760ff0d8b21d0485414397be115
                                                                                                                                                  • Instruction ID: 50a129da90bb567a371c2f39b95e85b2d59f34ed125e3f8e0cbd371800f5acc7
                                                                                                                                                  • Opcode Fuzzy Hash: 0865c5684faba8a8c472d1daae6c5f212d439760ff0d8b21d0485414397be115
                                                                                                                                                  • Instruction Fuzzy Hash: EF314872A00212ABDB719F5A98C5E6E77F5FB85B00F17002EF9106F2A5D7B05946D740
                                                                                                                                                  Function 014D29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • HEAP[%wZ]: , xrefs: 014D3255
                                                                                                                                                  • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 014D327D
                                                                                                                                                  • HEAP: , xrefs: 014D3264
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                                                                                  • API String ID: 0-617086771
                                                                                                                                                  • Opcode ID: 86668dadf48025ef51a2c76ed221597c69997768b9135f0034cc2a0cdfb7a18f
                                                                                                                                                  • Instruction ID: 2c9677ba4c2dd2890ab35f17918c4c5098c089daa411d196d4ad6cc17451fb1f
                                                                                                                                                  • Opcode Fuzzy Hash: 86668dadf48025ef51a2c76ed221597c69997768b9135f0034cc2a0cdfb7a18f
                                                                                                                                                  • Instruction Fuzzy Hash: F892BC71A042499FDF25CF68C460BAEBBF1FF48310F18809AE859AB361D774A946CF51
                                                                                                                                                  Function 014D0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                                  • API String ID: 0-4253913091
                                                                                                                                                  • Opcode ID: 686548eaf4157402a2b85578fb72bfd0aeba4758c4e77c58185e816fbf42c839
                                                                                                                                                  • Instruction ID: cabffafc750c9d35ef2fb50bfd754ba90235aeab9a6e6c4d58e103335c347fc5
                                                                                                                                                  • Opcode Fuzzy Hash: 686548eaf4157402a2b85578fb72bfd0aeba4758c4e77c58185e816fbf42c839
                                                                                                                                                  • Instruction Fuzzy Hash: DEF1BD31A00606DFEB25CF68C8A4BAAB7F5FF45300F1441AAF5569B3A1D734E981CB91
                                                                                                                                                  Function 014E6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID: $@
                                                                                                                                                  • API String ID: 2994545307-1077428164
                                                                                                                                                  • Opcode ID: 92fe093d8e3768adb811f266e3bbde47c1fe922b62cd164e27a89e3a177bc1f9
                                                                                                                                                  • Instruction ID: 92d4d6acc26f082176f73ff445691a3117fc41674febf31ff95634f45ba02fbd
                                                                                                                                                  • Opcode Fuzzy Hash: 92fe093d8e3768adb811f266e3bbde47c1fe922b62cd164e27a89e3a177bc1f9
                                                                                                                                                  • Instruction Fuzzy Hash: E9C2A0726083519FEB25CF28C844BAFBBE5BF89715F04892EE98987351D734D805CB92
                                                                                                                                                  Function 014BA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: FilterFullPath$UseFilter$\??\
                                                                                                                                                  • API String ID: 0-2779062949
                                                                                                                                                  • Opcode ID: 0d995d6e1f7600564ff0fab02d7da6b7342d9fb414947143bd916dfc95472fe0
                                                                                                                                                  • Instruction ID: 9b57386449feed6f42d52e7619d8a46522729d3333a534cf837aeb275eeaeac5
                                                                                                                                                  • Opcode Fuzzy Hash: 0d995d6e1f7600564ff0fab02d7da6b7342d9fb414947143bd916dfc95472fe0
                                                                                                                                                  • Instruction Fuzzy Hash: 76A14B719416299BEF329F68CC88BEAB7B8FF44710F1001EAD909AB250D7759E85CF50
                                                                                                                                                  Function 014E0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • Failed to allocated memory for shimmed module list, xrefs: 0152A10F
                                                                                                                                                  • LdrpCheckModule, xrefs: 0152A117
                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 0152A121
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                                                                                  • API String ID: 0-161242083
                                                                                                                                                  • Opcode ID: e94b18ca8cf58ed4b737f49e1278c711aaaa4d535570a0008c76abd540120096
                                                                                                                                                  • Instruction ID: 87f4d07cd64ed43e9766451b8642e5a1d69bf3a8e8d6df907fde1e7e6d32eba1
                                                                                                                                                  • Opcode Fuzzy Hash: e94b18ca8cf58ed4b737f49e1278c711aaaa4d535570a0008c76abd540120096
                                                                                                                                                  • Instruction Fuzzy Hash: C7710171A00206DFDB29DFA8C984ABEB7F4FF44704F15442EE522AB761E374A946CB50
                                                                                                                                                  Function 014D0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                                                                                  • API String ID: 0-1334570610
                                                                                                                                                  • Opcode ID: 7842b028a2f9164caa00f4cc12a22fcb223525bf120921882f3a9795a3ecc291
                                                                                                                                                  • Instruction ID: f89093f9ea2d71600db6c919d55b894b4b281bbfcc5c318885e0748140e670ac
                                                                                                                                                  • Opcode Fuzzy Hash: 7842b028a2f9164caa00f4cc12a22fcb223525bf120921882f3a9795a3ecc291
                                                                                                                                                  • Instruction Fuzzy Hash: 6861BC716143029FDB29CF28C494BAABBE1FF55704F14855EE8998F3A2D770E881CB91
                                                                                                                                                  Function 014FC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • LdrpInitializePerUserWindowsDirectory, xrefs: 015382DE
                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 015382E8
                                                                                                                                                  • Failed to reallocate the system dirs string !, xrefs: 015382D7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                                                                                  • API String ID: 0-1783798831
                                                                                                                                                  • Opcode ID: 98714acc16de2f0046b4b21c18b91d8b5bedda8fd8b5efbf1d9e46b952b36adf
                                                                                                                                                  • Instruction ID: f0ce0c72a466d63ee5dd75efdfd2bdd1460a41f1e4819d1a1182dc70fa529df7
                                                                                                                                                  • Opcode Fuzzy Hash: 98714acc16de2f0046b4b21c18b91d8b5bedda8fd8b5efbf1d9e46b952b36adf
                                                                                                                                                  • Instruction Fuzzy Hash: 4C41CFB1540306ABCB21EB69D8C4F5B77E8BF94650F11492FFA549B3A0E770D8049B91
                                                                                                                                                  Function 0157C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0157C1C5
                                                                                                                                                  • @, xrefs: 0157C1F1
                                                                                                                                                  • PreferredUILanguages, xrefs: 0157C212
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                                                                                  • API String ID: 0-2968386058
                                                                                                                                                  • Opcode ID: 50998f70e1f2e7b8b151bc70de26a84d0314582baf77c186ce0fadce66336727
                                                                                                                                                  • Instruction ID: 4b2766b31d60d74fbdedb84ad69f7560ec3aac78a576ea322f9a546c400d5b7a
                                                                                                                                                  • Opcode Fuzzy Hash: 50998f70e1f2e7b8b151bc70de26a84d0314582baf77c186ce0fadce66336727
                                                                                                                                                  • Instruction Fuzzy Hash: 5D419371E0020AEBDF11DFD8D895FEEBBB8BB54700F14406AE649FB290E7749A448B50
                                                                                                                                                  Function 01554144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                                                                                  • API String ID: 0-1373925480
                                                                                                                                                  • Opcode ID: 431a6c54cf0a036ebe3cc6348e0894c835d69dcbb0654f1eb4d15743add5d81b
                                                                                                                                                  • Instruction ID: 53bf3852ad875932d7ab34699e7847c1b294dccfdc5d5b938f98e8a9731d3eb6
                                                                                                                                                  • Opcode Fuzzy Hash: 431a6c54cf0a036ebe3cc6348e0894c835d69dcbb0654f1eb4d15743add5d81b
                                                                                                                                                  • Instruction Fuzzy Hash: 84410372A006598BEB22DB9AC864BADBBF4FF65380F14045BDD01EF791E7348981CB11
                                                                                                                                                  Function 01544755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01544888
                                                                                                                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 01544899
                                                                                                                                                  • LdrpCheckRedirection, xrefs: 0154488F
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                                                                  • API String ID: 0-3154609507
                                                                                                                                                  • Opcode ID: 0bc124d196b71c04efd8ebce54c530b3d78df716d004ffd7b331a275ac73d263
                                                                                                                                                  • Instruction ID: 1e50dd1c22f9faeb469b5a9dbecc97fcc2ae2824277abdc855a2fa47c3dbb88f
                                                                                                                                                  • Opcode Fuzzy Hash: 0bc124d196b71c04efd8ebce54c530b3d78df716d004ffd7b331a275ac73d263
                                                                                                                                                  • Instruction Fuzzy Hash: 7441D372A846519FEB21CE6CD840B2A7BE4FF89658F06055DED58EF312E730D801DB91
                                                                                                                                                  Function 014D0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                                  • API String ID: 0-2558761708
                                                                                                                                                  • Opcode ID: 81a52b8cbd36013077932e52bcb899d95c9ddcb71714c77042ee9a9a38f0f7ce
                                                                                                                                                  • Instruction ID: acc79c7ccece292ec6d9cc370ff95eee15ac3a60fed8d392441b10a8a5b3e27c
                                                                                                                                                  • Opcode Fuzzy Hash: 81a52b8cbd36013077932e52bcb899d95c9ddcb71714c77042ee9a9a38f0f7ce
                                                                                                                                                  • Instruction Fuzzy Hash: B711C0323281529FDB19DA19C8A4BBAF7A4FF41625F28815FF4068F2A1E730D845C7A0
                                                                                                                                                  Function 015420DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • LdrpInitializationFailure, xrefs: 015420FA
                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 01542104
                                                                                                                                                  • Process initialization failed with status 0x%08lx, xrefs: 015420F3
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                                                                                  • API String ID: 0-2986994758
                                                                                                                                                  • Opcode ID: 206a480645e45fd09dcf8776e3617ddf04abfe43132c908118da962707eab2c0
                                                                                                                                                  • Instruction ID: ab9bec81c553aa4997a5a646ac2ce0c205bc25aec4a7948f193ebf8e3d4449d5
                                                                                                                                                  • Opcode Fuzzy Hash: 206a480645e45fd09dcf8776e3617ddf04abfe43132c908118da962707eab2c0
                                                                                                                                                  • Instruction Fuzzy Hash: B8F04C346403197BE724D64DDC43FA93768FB84B48F61001DF7007F291D2F0A900D641
                                                                                                                                                  Function 014D03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                  • String ID: #%u
                                                                                                                                                  • API String ID: 48624451-232158463
                                                                                                                                                  • Opcode ID: 9a550e478381dcb165ca991ee82ece7c9f8d3075099f2d4e568431e3ab8d4fd5
                                                                                                                                                  • Instruction ID: 69e595e587acd7c032db0e293dcfb8ad15d1f70e7e7e3b1dcc25a8432aeb26b3
                                                                                                                                                  • Opcode Fuzzy Hash: 9a550e478381dcb165ca991ee82ece7c9f8d3075099f2d4e568431e3ab8d4fd5
                                                                                                                                                  • Instruction Fuzzy Hash: E6715E72A0014A9FDB01DFA9C990FAEB7F8BF58704F154066E905EB291E674ED01CB61
                                                                                                                                                  Function 014CA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • LdrResSearchResource Enter, xrefs: 014CAA13
                                                                                                                                                  • LdrResSearchResource Exit, xrefs: 014CAA25
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                                                                                  • API String ID: 0-4066393604
                                                                                                                                                  • Opcode ID: 1e69b032694f7548f635d2e704ccbccd7ef3487aa5a0097af357b58f66fe921a
                                                                                                                                                  • Instruction ID: 7be830992e62b3371d4e2938e5e86978e2370864c3db30054e7c500a315f3a2f
                                                                                                                                                  • Opcode Fuzzy Hash: 1e69b032694f7548f635d2e704ccbccd7ef3487aa5a0097af357b58f66fe921a
                                                                                                                                                  • Instruction Fuzzy Hash: 08E19775E002199FEF61CE9DC940BAEBBB5BF49710F20042BEA11EB2A1F7359941CB50
                                                                                                                                                  Function 0158A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: `$`
                                                                                                                                                  • API String ID: 0-197956300
                                                                                                                                                  • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                                  • Instruction ID: 04109f9c2b1d6c5d2bcfcb2a8203581e83f854d4bd5c07c91b555dd4359a4f97
                                                                                                                                                  • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                                  • Instruction Fuzzy Hash: D7C1CE312043429BEB25EE29C841B2BBBE5BFD4318F084A2EF696EF290D774D545CB51
                                                                                                                                                  Function 0153E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID: Legacy$UEFI
                                                                                                                                                  • API String ID: 2994545307-634100481
                                                                                                                                                  • Opcode ID: bd68089521e106a49ddc8187306fcfb5f392b8b47b00f3b0e429099b9e7effa0
                                                                                                                                                  • Instruction ID: 31c4704b12e560b8b5656e9306a693a0f6c5e41de442dd0d28bff8b33fec11f2
                                                                                                                                                  • Opcode Fuzzy Hash: bd68089521e106a49ddc8187306fcfb5f392b8b47b00f3b0e429099b9e7effa0
                                                                                                                                                  • Instruction Fuzzy Hash: 70614C71E002199FDB15DFA9C851BAEBBF5FB98700F14446EE649EF291D731A900CB50
                                                                                                                                                  Function 015643D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @$MUI
                                                                                                                                                  • API String ID: 0-17815947
                                                                                                                                                  • Opcode ID: 5d580e6370c16870b6b7d77e20c0a0f84cb3261a0849d97e9d87b7f2df09ab1c
                                                                                                                                                  • Instruction ID: fe2aa6fbc762fe10f26f00972ffc75d3b715b5ca167407b4d4f398ec09ca859e
                                                                                                                                                  • Opcode Fuzzy Hash: 5d580e6370c16870b6b7d77e20c0a0f84cb3261a0849d97e9d87b7f2df09ab1c
                                                                                                                                                  • Instruction Fuzzy Hash: D4511871D0021EAEDF11DFA9CC84AEEBBBCFB54654F10052AE611AB290D6309945CBA0
                                                                                                                                                  Function 014C04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 014C063D
                                                                                                                                                  • kLsE, xrefs: 014C0540
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                                                                  • API String ID: 0-2547482624
                                                                                                                                                  • Opcode ID: 4eb50673683ae2931a7b731a3b8427f09d57db7d554133a5456d9cb3a00f4e47
                                                                                                                                                  • Instruction ID: 1c2ff31a9a8700b34a7fc1d5c48e981f5f130ba83bbc16b84f810f6fed7aae68
                                                                                                                                                  • Opcode Fuzzy Hash: 4eb50673683ae2931a7b731a3b8427f09d57db7d554133a5456d9cb3a00f4e47
                                                                                                                                                  • Instruction Fuzzy Hash: A351BC7D600742CBD764DF28C5406A3BBE4AF94B04F10483FE6AA87261E730D545CF92
                                                                                                                                                  Function 014CA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • RtlpResUltimateFallbackInfo Exit, xrefs: 014CA309
                                                                                                                                                  • RtlpResUltimateFallbackInfo Enter, xrefs: 014CA2FB
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                                                                  • API String ID: 0-2876891731
                                                                                                                                                  • Opcode ID: 80402eae3ed8ca7bef21fd3e98cd4afb8735ca245ac3244ecc3ac04fcc60d064
                                                                                                                                                  • Instruction ID: 827e9e2042a492ce528925e8ee6e0e28d50086c64aaebad48f9430a593d83cdd
                                                                                                                                                  • Opcode Fuzzy Hash: 80402eae3ed8ca7bef21fd3e98cd4afb8735ca245ac3244ecc3ac04fcc60d064
                                                                                                                                                  • Instruction Fuzzy Hash: 7D41BD79A00659DBDB21CF69C450B6E7BB4FF85B00F24406AE900DF2B1E3B5D941CB40
                                                                                                                                                  Function 014FA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID: Cleanup Group$Threadpool!
                                                                                                                                                  • API String ID: 2994545307-4008356553
                                                                                                                                                  • Opcode ID: 8a47e4fe44c8fa7b3de03e07e457563387e58edd3da748fea0d83262b19f779b
                                                                                                                                                  • Instruction ID: a065aa4e970754d9eecfb31236745f9ec0acb1d00b9ca47e1dacee3d6646a1e4
                                                                                                                                                  • Opcode Fuzzy Hash: 8a47e4fe44c8fa7b3de03e07e457563387e58edd3da748fea0d83262b19f779b
                                                                                                                                                  • Instruction Fuzzy Hash: AF01F4B2254700AFE312DF24CD45F267BE8E794715F15893EA69CCB2A0E334D804CB46
                                                                                                                                                  Function 014CC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: MUI
                                                                                                                                                  • API String ID: 0-1339004836
                                                                                                                                                  • Opcode ID: b35cdd2aa18c337fb51cda3922f9b57a94794e07e342b24bb94332e26e9bb7e1
                                                                                                                                                  • Instruction ID: 3ec463de0a14457a341c4da12b3539a09732f82e84fb6700220c9ca1ce249abd
                                                                                                                                                  • Opcode Fuzzy Hash: b35cdd2aa18c337fb51cda3922f9b57a94794e07e342b24bb94332e26e9bb7e1
                                                                                                                                                  • Instruction Fuzzy Hash: D0824E79E002199BDB65CFADC8807EEBBB1BF48B10F14816ED959AB361D7309942CF50
                                                                                                                                                  Function 01546420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 0-3916222277
                                                                                                                                                  • Opcode ID: 0681e219a56aa1bec198622d8353839a304b4007246a8f8d00373990c87f7078
                                                                                                                                                  • Instruction ID: e58eae44f713ff176d9658c3e497c4562f2caa4df94169e607ec6b639726612b
                                                                                                                                                  • Opcode Fuzzy Hash: 0681e219a56aa1bec198622d8353839a304b4007246a8f8d00373990c87f7078
                                                                                                                                                  • Instruction Fuzzy Hash: 5F91617294021AAFEB21DF95CC95FEE7BB8FF55B54F104059F600AF1A0D675A900CBA0
                                                                                                                                                  Function 0156E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 0-3916222277
                                                                                                                                                  • Opcode ID: fd1f5f3861a70262ab3bfc95e03c0c3880d457ac705d99c3bb94ffc7cdb7cf57
                                                                                                                                                  • Instruction ID: 4a7de05041b2489e0afb1442aa9a2dadf4fea0e665b3e436053c9fd431cbb553
                                                                                                                                                  • Opcode Fuzzy Hash: fd1f5f3861a70262ab3bfc95e03c0c3880d457ac705d99c3bb94ffc7cdb7cf57
                                                                                                                                                  • Instruction Fuzzy Hash: F9919175A0150AAADF22EFA5DC55FAFBBBDFF95740F100019F600AB260DB74A905CB90
                                                                                                                                                  Function 014FA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: GlobalTags
                                                                                                                                                  • API String ID: 0-1106856819
                                                                                                                                                  • Opcode ID: 1e5cd708a47c1d3e1bcbe6037da92813d8500855e98a8f70495cd78c7973f695
                                                                                                                                                  • Instruction ID: 49fbda530c4f245fd967e8349e73d5f02e1a2d49a08d9f85ac6c08c4aa0181ae
                                                                                                                                                  • Opcode Fuzzy Hash: 1e5cd708a47c1d3e1bcbe6037da92813d8500855e98a8f70495cd78c7973f695
                                                                                                                                                  • Instruction Fuzzy Hash: 37716F75E0020AAFDF29CF9DC5906ADBBF1BF98710F24812EE505AB351E7719A41CB50
                                                                                                                                                  Function 01564978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .mui
                                                                                                                                                  • API String ID: 0-1199573805
                                                                                                                                                  • Opcode ID: 429422e85df4b267b8a8bf5c4cfb613a9abc73c2757fc099a231af034a9e11a8
                                                                                                                                                  • Instruction ID: cbde6e20db6ae2fe6e1030bb2cfb11d150314a54cf571dc0580bda648ed75f9b
                                                                                                                                                  • Opcode Fuzzy Hash: 429422e85df4b267b8a8bf5c4cfb613a9abc73c2757fc099a231af034a9e11a8
                                                                                                                                                  • Instruction Fuzzy Hash: 9E51A372D0022AABDF15DF99D840AAEBBB9FF14A14F05412EEA11BF250D7749C01CBE4
                                                                                                                                                  Function 014DE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: EXT-
                                                                                                                                                  • API String ID: 0-1948896318
                                                                                                                                                  • Opcode ID: 4df76a62697fb1b311e98f6b6102ad86ccd10bdfd6345bccd03ceffa2067e1b1
                                                                                                                                                  • Instruction ID: 3f4c072c94aa5f87ed50df36e796c6def5307ca6d99bb1a5555bddf3aa547654
                                                                                                                                                  • Opcode Fuzzy Hash: 4df76a62697fb1b311e98f6b6102ad86ccd10bdfd6345bccd03ceffa2067e1b1
                                                                                                                                                  • Instruction Fuzzy Hash: 7F41D5725083129BDB11DB75C890B6BB7E8AF98B14F45092FF684EB2A0E774D904C793
                                                                                                                                                  Function 0153C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: BinaryHash
                                                                                                                                                  • API String ID: 0-2202222882
                                                                                                                                                  • Opcode ID: 90373a9540d89383db4e4b410bf77606620a73a2a32323df0b9067dc8c548108
                                                                                                                                                  • Instruction ID: 36656de4291f2a2bda45cca7e7a0e668b15a8f1419220ccef0c918893b0df1b2
                                                                                                                                                  • Opcode Fuzzy Hash: 90373a9540d89383db4e4b410bf77606620a73a2a32323df0b9067dc8c548108
                                                                                                                                                  • Instruction Fuzzy Hash: 8F4124B1D0052EAADB21DA90CC94FDEB77CBB94714F0045A6AB08BF141DB709E498FA4
                                                                                                                                                  Function 01556B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: #
                                                                                                                                                  • API String ID: 0-1885708031
                                                                                                                                                  • Opcode ID: 64ad1f94888e1e4e27a2c2bb5bbb98828c48b2bed9dd1d5886dc872d6270e667
                                                                                                                                                  • Instruction ID: 43e8caaa5e07f4ee1a8a2cdaa89916024d43db3f38e834d68421d279a647fc6b
                                                                                                                                                  • Opcode Fuzzy Hash: 64ad1f94888e1e4e27a2c2bb5bbb98828c48b2bed9dd1d5886dc872d6270e667
                                                                                                                                                  • Instruction Fuzzy Hash: 09312A31A007899BEB22DF69C864BAE7BB8FF54704F94402AED40AF282D775D805CB50
                                                                                                                                                  Function 0153CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: BinaryName
                                                                                                                                                  • API String ID: 0-215506332
                                                                                                                                                  • Opcode ID: 8c43fee61ca0bb5a1578b278d533dcf0b717811783093f3c42a08f3c5b23d92a
                                                                                                                                                  • Instruction ID: b62380599db22a1c060c65ed624a51183e3c41be57c6164bcad0d8a78d4c7b92
                                                                                                                                                  • Opcode Fuzzy Hash: 8c43fee61ca0bb5a1578b278d533dcf0b717811783093f3c42a08f3c5b23d92a
                                                                                                                                                  • Instruction Fuzzy Hash: C8310336900516AFEB1ADB59C865E6FBBB4FBC0720F01416AA901BB290D7309E00DBE0
                                                                                                                                                  Function 0154892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0154895E
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                                                                                  • API String ID: 0-702105204
                                                                                                                                                  • Opcode ID: 9d0fabd3aff81f57cdd1052e315683941e819ce1ffa57d29b4f15db3b1713d7b
                                                                                                                                                  • Instruction ID: ec8a1c2b0d62cbb3617e604fd4455cc2dc74f3132b4a7d1ebba7aa29708d10ec
                                                                                                                                                  • Opcode Fuzzy Hash: 9d0fabd3aff81f57cdd1052e315683941e819ce1ffa57d29b4f15db3b1713d7b
                                                                                                                                                  • Instruction Fuzzy Hash: CD012B39211A029FE62A6F96CCC4A9EBFA5FF9565CB08041DF7411F161CB306845C7A2
                                                                                                                                                  Function 01562000 Relevance: .8, Instructions: 757COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 06e71a43ac3ab7ef3af07727851107cd114f8ff53e79581bd55955afa0db7dd9
                                                                                                                                                  • Instruction ID: 445751c433406d7ac53017fde68e9133ea28cd8789c2111e53ec8d8bc4feb2cb
                                                                                                                                                  • Opcode Fuzzy Hash: 06e71a43ac3ab7ef3af07727851107cd114f8ff53e79581bd55955afa0db7dd9
                                                                                                                                                  • Instruction Fuzzy Hash: A442D3726083418FD725CF69C890A6FBBE9BF98340F08492DFA869F250D775D845CB92
                                                                                                                                                  Function 01558158 Relevance: .6, Instructions: 617COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d7f2a361d5d3fd748e552072daae5245a82c41c296f4e68ffac9bd23f7206796
                                                                                                                                                  • Instruction ID: d93ec792294afb099db55e1ff90ccd937e39018cc7d6ab9ed757791ac4282898
                                                                                                                                                  • Opcode Fuzzy Hash: d7f2a361d5d3fd748e552072daae5245a82c41c296f4e68ffac9bd23f7206796
                                                                                                                                                  • Instruction Fuzzy Hash: 48426F71E00219CFEB65CF6AC891BADBBF5BF48300F15809AE949EB252D7349985CF50
                                                                                                                                                  Function 014D2840 Relevance: .6, Instructions: 605COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9097499f862afec8269a4d87b3b04606af1f6f82c6b4422769e648343d8d76d7
                                                                                                                                                  • Instruction ID: 70ad2c1f450adc8ea942c688760d1587125138f93eeb76afe205c2d8d3867d46
                                                                                                                                                  • Opcode Fuzzy Hash: 9097499f862afec8269a4d87b3b04606af1f6f82c6b4422769e648343d8d76d7
                                                                                                                                                  • Instruction Fuzzy Hash: 6432E271A007668FDB25CF69C894BBEBBF2BF86304F14451DD8869F285D775A802CB90
                                                                                                                                                  Function 0156A118 Relevance: .6, Instructions: 591COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2fb34339259e6f78e6073f8b045c4bd28350de7a435b8792dfae11aed8b873db
                                                                                                                                                  • Instruction ID: e0412d76e33ab1ac54f6d0499aec5a1676a47ba539251fcae881b4215adafa34
                                                                                                                                                  • Opcode Fuzzy Hash: 2fb34339259e6f78e6073f8b045c4bd28350de7a435b8792dfae11aed8b873db
                                                                                                                                                  • Instruction Fuzzy Hash: 2B22E4706046518BEB25CF2DC49037ABBF9BF45301F088859D997AF286E735E852DBE0
                                                                                                                                                  Function 014C6A50 Relevance: .5, Instructions: 548COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2af6917a14f87a1f9bd52c1b1457ac4132be043a13553ed5df6dfe99bdf5cabf
                                                                                                                                                  • Instruction ID: ff39ad9a55699455897fd5c618467e152084501bf340e44a4d0c4d0ee562092e
                                                                                                                                                  • Opcode Fuzzy Hash: 2af6917a14f87a1f9bd52c1b1457ac4132be043a13553ed5df6dfe99bdf5cabf
                                                                                                                                                  • Instruction Fuzzy Hash: 1932BB75A00615CFDB65CF68C480AAEBBF1FF49700F15856EE956AB3A1D730E842CB90
                                                                                                                                                  Function 014E4A35 Relevance: .4, Instructions: 423COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                                  • Instruction ID: 95140f3ea8f48cb28dc98bd15217f1334b06f695c1a12caffaa3fd7fa53f1b29
                                                                                                                                                  • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                                  • Instruction Fuzzy Hash: 63F15C71E0021A9BDF15CF99C584BAEBBF5BF48711F09812AE905EB364E774D842CB60
                                                                                                                                                  Function 0155892B Relevance: .4, Instructions: 386COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e30ec8b7cf6f27bae4ed7217299724eb20545b8d054a2eeaeef892b81efab2c2
                                                                                                                                                  • Instruction ID: 0a16fc7f38b845886b93b036a8499bb982fa55fb50cacb6d06d3d6dbd6d509b8
                                                                                                                                                  • Opcode Fuzzy Hash: e30ec8b7cf6f27bae4ed7217299724eb20545b8d054a2eeaeef892b81efab2c2
                                                                                                                                                  • Instruction Fuzzy Hash: 2DD12271E0060A8BDF45CF6AC861BFEB7F5BF88314F18816AD855AB241E735E905CB60
                                                                                                                                                  Function 014C65D0 Relevance: .4, Instructions: 383COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 83eb948ffb851250d26107562d77c5b80f09472377d2a146ab14516f0eb5d74c
                                                                                                                                                  • Instruction ID: e78404f5c1e64d7e6813b4c88f8c1ffc7d1e0d1edaf2dad80be567f5cbf86117
                                                                                                                                                  • Opcode Fuzzy Hash: 83eb948ffb851250d26107562d77c5b80f09472377d2a146ab14516f0eb5d74c
                                                                                                                                                  • Instruction Fuzzy Hash: 3CE19075609342CFC755CF28C090A6BBBE0FF89704F15896EE9998B361D731E905CB92
                                                                                                                                                  Function 014B8397 Relevance: .4, Instructions: 380COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2f2276b01acd55bbe33a8292cd23caff62d2a9e0e2087bad6f1be9774a41b87d
                                                                                                                                                  • Instruction ID: 6434eddff07e2d357b5c0c3f35d2907cf8f79b11ea74b5ccfd610f26bc211918
                                                                                                                                                  • Opcode Fuzzy Hash: 2f2276b01acd55bbe33a8292cd23caff62d2a9e0e2087bad6f1be9774a41b87d
                                                                                                                                                  • Instruction Fuzzy Hash: F5D1DF71A002079BDB15DF69C8C0AFEB7B9BF64308F14462EE916DB2A4E734D951CB60
                                                                                                                                                  Function 01548243 Relevance: .3, Instructions: 322COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                                  • Instruction ID: 4396a0bf56e36da57f47b1a0dff3a9c88d785c6e8ae00582c7f578ece9ee5317
                                                                                                                                                  • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                                  • Instruction Fuzzy Hash: 7EB14075A00605AFDB64DFD9C940AAFBBF9FF84308F14446EAA429B790DA34E905CB10
                                                                                                                                                  Function 014D0535 Relevance: .3, Instructions: 300COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                                  • Instruction ID: efb0846556f37e94b7471569ab55d261de501d512c9350c38482bc0f5e95e9ec
                                                                                                                                                  • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                                  • Instruction Fuzzy Hash: 92B10632600656AFEF15DBA8C860BBEBBF6BF85300F14015AE656DB391D730E941CB90
                                                                                                                                                  Function 014C83C0 Relevance: .3, Instructions: 281COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: aa40ecea036ccbae9e661c6ef48c3e12ce8f26c79a9ea3f6a93215aaa07cdb2a
                                                                                                                                                  • Instruction ID: 3dbd5629a3ae00fce3de27eb2e398e989a2d463298adf46df327da96b5084f9c
                                                                                                                                                  • Opcode Fuzzy Hash: aa40ecea036ccbae9e661c6ef48c3e12ce8f26c79a9ea3f6a93215aaa07cdb2a
                                                                                                                                                  • Instruction Fuzzy Hash: E6C157751083418FD764CF19C484BABBBE4BF98704F44492EE9898B3A1E774E908CF92
                                                                                                                                                  Function 014BC427 Relevance: .3, Instructions: 280COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: bd64c68d9856c7fb1969ff7d7e339ebd856fb11e36783b495fde8e4663e42a5c
                                                                                                                                                  • Instruction ID: fd0b76ad268b1f24a6de758533b3ceafca75b3e070b65cdbffd7a8adbf9e51ef
                                                                                                                                                  • Opcode Fuzzy Hash: bd64c68d9856c7fb1969ff7d7e339ebd856fb11e36783b495fde8e4663e42a5c
                                                                                                                                                  • Instruction Fuzzy Hash: 0EB18270A002668BDB65DF59C8D0BEDB3B1FF54700F0485EAD54AEB251EB709D86CB20
                                                                                                                                                  Function 014EE5E7 Relevance: .3, Instructions: 278COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6bb8307ebaa373c75e4b56a924b5f2ff1d3458e4023f7f337bf558f464464bdd
                                                                                                                                                  • Instruction ID: 3650dba0d425b0424c979b5647075dea570afa1f9759c8753c89f4f6f19f384a
                                                                                                                                                  • Opcode Fuzzy Hash: 6bb8307ebaa373c75e4b56a924b5f2ff1d3458e4023f7f337bf558f464464bdd
                                                                                                                                                  • Instruction Fuzzy Hash: 6DA10772E046259FEB21DBA8D848BAEBBF4BB05714F050127EA10BF2E1D7749D41CB91
                                                                                                                                                  Function 01500185 Relevance: .3, Instructions: 276COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: db5c6b423364fa8f57cc6aad57b3b9a1c9b236cc314df0a50957dac46142b3fc
                                                                                                                                                  • Instruction ID: 179830bf7eb2aa8354330a297bd54de76b3b75982ce117ade98ab2a32fa24eeb
                                                                                                                                                  • Opcode Fuzzy Hash: db5c6b423364fa8f57cc6aad57b3b9a1c9b236cc314df0a50957dac46142b3fc
                                                                                                                                                  • Instruction Fuzzy Hash: 9FA1F2B0B016169BDB26CFA9C590BAEB7F1FF84354F044429EA059F2C1DB74E815CB90
                                                                                                                                                  Function 01594500 Relevance: .3, Instructions: 275COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 89ef5b5667c56c68370c52f807e1ea9bd90bda2b9840f32a28e9b19e5e2816c3
                                                                                                                                                  • Instruction ID: 39926f4000295d04926aa163b39bc8dfe86051b1a78570c16e95a83de2abf38e
                                                                                                                                                  • Opcode Fuzzy Hash: 89ef5b5667c56c68370c52f807e1ea9bd90bda2b9840f32a28e9b19e5e2816c3
                                                                                                                                                  • Instruction Fuzzy Hash: F9A1CD72A14652EFCB12DF18CA90B6AB7E9FF58704F05092DE5859F660C334EC02CB92
                                                                                                                                                  Function 01592B57 Relevance: .3, Instructions: 266COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                                                  • Instruction ID: 8645e54769abb0962769fb5cba8805924c5cae8e30b34b8e0f74737d9ca8b07f
                                                                                                                                                  • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                                                  • Instruction Fuzzy Hash: 3AB13971E0061AEFDF19CFA9C880AADBBF5FF48310F148169E915AB355D730A941CB91
                                                                                                                                                  Function 015460E0 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: fe6c5baee720142d036e295f3453fc887b24382b33eba1f0dddf49b4b769f757
                                                                                                                                                  • Instruction ID: 8e166c8226389d7bde8021cd5476dda10e763cc447c27a974f2d3fd9227944f8
                                                                                                                                                  • Opcode Fuzzy Hash: fe6c5baee720142d036e295f3453fc887b24382b33eba1f0dddf49b4b769f757
                                                                                                                                                  • Instruction Fuzzy Hash: FD91C071E00216AFDF15CFA9D884BAEBFB5BF4A714F15416AE610AF350D734E9008BA0
                                                                                                                                                  Function 014DE3F0 Relevance: .3, Instructions: 261COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ab4eb8c950972e10de590923b41ddef01f18330ddbaff128b73eb8dc34d0c662
                                                                                                                                                  • Instruction ID: 8976310170e704dea4ebcd4381bc4aad7c8a4b65d5294c3388af0f8919b5e853
                                                                                                                                                  • Opcode Fuzzy Hash: ab4eb8c950972e10de590923b41ddef01f18330ddbaff128b73eb8dc34d0c662
                                                                                                                                                  • Instruction Fuzzy Hash: 9B914732A00626CBEF24DF59C4A0BBE7BA1FF95758F05406AE905AF3A0E774D902C751
                                                                                                                                                  Function 01516ACC Relevance: .2, Instructions: 226COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 28db766a046f8a2884e132c5d8443b3ce1058188a1e27fbb2e7ba54ff2283418
                                                                                                                                                  • Instruction ID: 68da439fa6bd6025ddda14ce7a1b334fd8c29358116a34eed62d1a04781d6522
                                                                                                                                                  • Opcode Fuzzy Hash: 28db766a046f8a2884e132c5d8443b3ce1058188a1e27fbb2e7ba54ff2283418
                                                                                                                                                  • Instruction Fuzzy Hash: 76819471A0061A9FEB15CF69C850ABEBBF9FF48700F04852EE545EB644E374D940CB94
                                                                                                                                                  Function 0158AB40 Relevance: .2, Instructions: 222COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                                  • Instruction ID: 54f8af534925e10db50a8bc88945ead8b2ae04efa8e60a3076981789d27952ed
                                                                                                                                                  • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                                  • Instruction Fuzzy Hash: 61818371A0020A9FDF19DF99C490AAEBBF6FF84310F18856AD916AF345D774E901CB50
                                                                                                                                                  Function 014FE284 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6e7d285f7c49718045e95200d618b780d7f5561f898b5c28f5d241af46973994
                                                                                                                                                  • Instruction ID: 12e14409afd0dd05c89d8eacd72963da970036b6bb57a5d6302d8750d44ee62a
                                                                                                                                                  • Opcode Fuzzy Hash: 6e7d285f7c49718045e95200d618b780d7f5561f898b5c28f5d241af46973994
                                                                                                                                                  • Instruction Fuzzy Hash: 08815F71900609AFDB25CFA9C884AEEBBF9FF88354F11442EE655A7360D770AC45CB50
                                                                                                                                                  Function 014DC640 Relevance: .2, Instructions: 206COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: dc30de28e0e2e2e1303526f1b42c8b804a6e904b6f6ab4d60ea4fad9574aff3c
                                                                                                                                                  • Instruction ID: bfedd535e9f044d55dec70e392f9b3d7fc32072f59f56f5f61885a93deb11155
                                                                                                                                                  • Opcode Fuzzy Hash: dc30de28e0e2e2e1303526f1b42c8b804a6e904b6f6ab4d60ea4fad9574aff3c
                                                                                                                                                  • Instruction Fuzzy Hash: DD71BC76C00626DBCB258F99C8A07BEBBF4FF59710F15411EE952AB3A0D7349805CBA0
                                                                                                                                                  Function 015747A0 Relevance: .2, Instructions: 202COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 7e18ce1083d402c1538a526391288992946d76e7db589fa3b075bb2dbd5688c7
                                                                                                                                                  • Instruction ID: 81a40daa15e7ad02473fafb51d0bde45435df54f218cead7195a96388fd8c217
                                                                                                                                                  • Opcode Fuzzy Hash: 7e18ce1083d402c1538a526391288992946d76e7db589fa3b075bb2dbd5688c7
                                                                                                                                                  • Instruction Fuzzy Hash: 7471D671900205EFDB20DF9AE986EAEFBF9FF94300F05415AE620AF258D7718944DB64
                                                                                                                                                  Function 014D260B Relevance: .2, Instructions: 201COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 860360ef99dd8e047bd4f905d7377c3a7edceed4d012e9ec49644383ea50ccfb
                                                                                                                                                  • Instruction ID: e3d71d6a13b822fc4c0c2ce51d12a7861c10d4d624f698bb9c837c60a5e37a3c
                                                                                                                                                  • Opcode Fuzzy Hash: 860360ef99dd8e047bd4f905d7377c3a7edceed4d012e9ec49644383ea50ccfb
                                                                                                                                                  • Instruction Fuzzy Hash: 5471F2356046529FD721DF28C490F2AB7E5FF94300F0585AAE898CB362DB74DC46CBA1
                                                                                                                                                  Function 0154035C Relevance: .2, Instructions: 198COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                                  • Instruction ID: 1fa4c739c0c0bf44ccd15e69ba71dbbe52248d15fd4490dafd24a8c054efd69b
                                                                                                                                                  • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                                  • Instruction Fuzzy Hash: 96716371A0061AEFDB10DFA5C954EDEBBB8FF94704F104569E605EB290DB34EA41CB90
                                                                                                                                                  Function 015562A0 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 22f309b8dcb85676bbd291b0ddac0328051e0f559b97d63c69e4cd96815627f8
                                                                                                                                                  • Instruction ID: d01d1091605a34174efdecec984cf2c6b76f4fd57a823d1b1b810a5006d06623
                                                                                                                                                  • Opcode Fuzzy Hash: 22f309b8dcb85676bbd291b0ddac0328051e0f559b97d63c69e4cd96815627f8
                                                                                                                                                  • Instruction Fuzzy Hash: 92710332200742EFEB629F18C8A4F1ABBF6FB40720F51491AEA158F2A1D774E944CB50
                                                                                                                                                  Function 01598324 Relevance: .2, Instructions: 192COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9c311c332e7d339fb0f4057045338a36d06a35b2560484568af2ffb3c968b0c9
                                                                                                                                                  • Instruction ID: 4ba4e98980876f2bd1816c883060ba86ccd58bbbdf6eaff4065b6c5c7d11246c
                                                                                                                                                  • Opcode Fuzzy Hash: 9c311c332e7d339fb0f4057045338a36d06a35b2560484568af2ffb3c968b0c9
                                                                                                                                                  • Instruction Fuzzy Hash: ED711B71E0020ABFDF16DF94CC81FEEBBB8FB05350F104519E615AA290D774AA05CBA1
                                                                                                                                                  Function 0157A250 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2357f7c5e92ec9e362c913dec225ae6fc936a4e8de9288c98e9a02ff50105d40
                                                                                                                                                  • Instruction ID: b26a3466a11e8429859c042431bc3297ab9527dbaab0b743279358f4c03085a9
                                                                                                                                                  • Opcode Fuzzy Hash: 2357f7c5e92ec9e362c913dec225ae6fc936a4e8de9288c98e9a02ff50105d40
                                                                                                                                                  • Instruction Fuzzy Hash: AE51CF72504612AFD722DE68D885E5FB7E9FBC5710F040929BA40DF150E771ED04C7A2
                                                                                                                                                  Function 01568350 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0e4862caf0bb4172315b59a57029768cc7b5cf124c3506a307cdaff0847e81ed
                                                                                                                                                  • Instruction ID: fb76c4ca93a48ad18fd51339223952d2c33ecdb95e2ad917657b17517ceb7fdf
                                                                                                                                                  • Opcode Fuzzy Hash: 0e4862caf0bb4172315b59a57029768cc7b5cf124c3506a307cdaff0847e81ed
                                                                                                                                                  • Instruction Fuzzy Hash: DF519E70A007059FD721DF9AC884A6BFBFCBF94714F104A1ED2969B6A0D7B0A945CB90
                                                                                                                                                  Function 014FE443 Relevance: .2, Instructions: 158COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 17fa916ff59d79002d4ef348c8c191878883bed2e58f82932faa5419d39c2ea9
                                                                                                                                                  • Instruction ID: af30a7e5d359361abf7586db448588ce1bdc848208f7864b0dc8eb7cbf220954
                                                                                                                                                  • Opcode Fuzzy Hash: 17fa916ff59d79002d4ef348c8c191878883bed2e58f82932faa5419d39c2ea9
                                                                                                                                                  • Instruction Fuzzy Hash: 46517DB2200A05DFCB22EFA9C994E6AB3F9FF54744F41042EE642AB270D734E941CB51
                                                                                                                                                  Function 01564180 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 8f33268902889471f5befc0cf30e748876ff7d1bc4a493838b62857b05b4000e
                                                                                                                                                  • Instruction ID: e6e730c8276dc20aae17c415521a7f356016efa5148edc9ad77d1cd1e18b4982
                                                                                                                                                  • Opcode Fuzzy Hash: 8f33268902889471f5befc0cf30e748876ff7d1bc4a493838b62857b05b4000e
                                                                                                                                                  • Instruction Fuzzy Hash: 52517A716083428FD754DF29C880A6FBBE9BFD8208F444A2DF589CB250EB30D945CB92
                                                                                                                                                  Function 014E45B1 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                                  • Instruction ID: 89192315c4b678537d3c489995206bf0dda07c9069a7b18236d5947d05b8e70e
                                                                                                                                                  • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                                  • Instruction Fuzzy Hash: 22519D75E0021AABDF15DF98C444BEEBBF5AF45355F08406AEA01EB260D734E944CBA4
                                                                                                                                                  Function 0154E9E0 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                                  • Instruction ID: 4261fe227d9037d122b92960da8cd2ab66da602f1237ff13247a18e072dbc326
                                                                                                                                                  • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                                  • Instruction Fuzzy Hash: 3951A731D0060AEFEF21DB94C886BAEBBB5FB4036CF154669D5126F290D7789E4187A0
                                                                                                                                                  Function 01588B28 Relevance: .2, Instructions: 152COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 757396636491746ecf7cd934c51c9cfa01e11c8aee156276d900b53dfb51bbd9
                                                                                                                                                  • Instruction ID: 9ebd07f280ee31095581c1b75c60cf725dc7c6602ab799b0be3d8398f417cc3d
                                                                                                                                                  • Opcode Fuzzy Hash: 757396636491746ecf7cd934c51c9cfa01e11c8aee156276d900b53dfb51bbd9
                                                                                                                                                  • Instruction Fuzzy Hash: E74105707016029BE729FB2DC994B7FBB9AFFD0361F488619E955AF284DB30D801C691
                                                                                                                                                  Function 0154CBF0 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 739168fa2a133bab9ef235f87058d336927d7aa0c921ce12689ab93e31481676
                                                                                                                                                  • Instruction ID: 9d9749f7979f8e5a14c6a88da40c3b2c808b2ed115b0132ac03c5b7c81435675
                                                                                                                                                  • Opcode Fuzzy Hash: 739168fa2a133bab9ef235f87058d336927d7aa0c921ce12689ab93e31481676
                                                                                                                                                  • Instruction Fuzzy Hash: 6D519E76A01216DFCB60DFA9C9C099EBBF9FF98358B51452AD556AB300D730ED01CB90
                                                                                                                                                  Function 0158A9D3 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                                  • Instruction ID: cb9e240f2b9291900210277bdcaa5431c54a409ac84dd9e47e65e8455388ae97
                                                                                                                                                  • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                                  • Instruction Fuzzy Hash: 0341F6716017169FDB25EF28C890A6EF7E9FF90210B04462FE912AF640EB70EC04C790
                                                                                                                                                  Function 014F01F8 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1e7f414e4313c0c36b8ea25172895ff43f98aa398174a1bba4a6bf2bd467588d
                                                                                                                                                  • Instruction ID: f97896cd3aaea62052ac2cd2eac07abd67144cc77d6c533243cbd4a91f4a30b7
                                                                                                                                                  • Opcode Fuzzy Hash: 1e7f414e4313c0c36b8ea25172895ff43f98aa398174a1bba4a6bf2bd467588d
                                                                                                                                                  • Instruction Fuzzy Hash: 9841AD359002159BDB10DF98C440AEEB7B6FF98610F15816FFA15EB361D7349C41CBA4
                                                                                                                                                  Function 014EEBFC Relevance: .1, Instructions: 138COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6e957170d0e11195460bcf338688a01484bcdd3700df3b2d7a42ca609e18c135
                                                                                                                                                  • Instruction ID: 5a3f65328a96eda22cde71b9c0585c5f022fcf7304a5def713cd64ff439cc9cc
                                                                                                                                                  • Opcode Fuzzy Hash: 6e957170d0e11195460bcf338688a01484bcdd3700df3b2d7a42ca609e18c135
                                                                                                                                                  • Instruction Fuzzy Hash: 0441B1722003029FDB21DF29C884A2BB7E9FF98214F00492FE557D7261EB71E8558B51
                                                                                                                                                  Function 01502750 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                                  • Instruction ID: 571513b0084ecb4003535f4628fac87b5ee9dabe2691b8dce439ccb1a283eaa8
                                                                                                                                                  • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                                  • Instruction Fuzzy Hash: 90515975A00215CFDB15CF98C480AAEF7B2FF84710F2881A9D955EB355D774AE82CB90
                                                                                                                                                  Function 014C6154 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 617360377c6c4b6213e4c25bdcce2b846c05dcc779303afffb2e6e1c1284883d
                                                                                                                                                  • Instruction ID: ac5ea9e95fc02932021b2f53b6336ad7bf25a0be01702115b7301646d0a05c52
                                                                                                                                                  • Opcode Fuzzy Hash: 617360377c6c4b6213e4c25bdcce2b846c05dcc779303afffb2e6e1c1284883d
                                                                                                                                                  • Instruction Fuzzy Hash: AD5104B1901216DFDB659B28CC50BE9BBB1FF11314F0582AEE529AB3E1DB749981CF40
                                                                                                                                                  Function 014C0BCD Relevance: .1, Instructions: 130COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 32503754d47299b8fb1f076d8b801ecbbf0d9f2467a2338a3ef3355e15f9df16
                                                                                                                                                  • Instruction ID: 66dd4131e1f6720a24e56c020df0ef03c02a49ab7bf2b8c8d1ba0a9f1ecc019d
                                                                                                                                                  • Opcode Fuzzy Hash: 32503754d47299b8fb1f076d8b801ecbbf0d9f2467a2338a3ef3355e15f9df16
                                                                                                                                                  • Instruction Fuzzy Hash: FA41CF79A00228DBDF62DF69C841BEE77B4FF55B00F4100AAE908AF251D7749E81CB91
                                                                                                                                                  Function 0158866E Relevance: .1, Instructions: 129COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                  • Instruction ID: 56b4a15c0a1a88453daa867a62f2e3a1f3896e8ef3620a1ff7504165560ade15
                                                                                                                                                  • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                  • Instruction Fuzzy Hash: EC41B575B00106ABEB15EF99CC84AAFBBBAFF98744F644069E500FB341D670DD0187A0
                                                                                                                                                  Function 014C0887 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 287d2a55d9d3ecb5233d71342ec2901517daf8105f91caea0b2685fdb20393bf
                                                                                                                                                  • Instruction ID: 38908c40da55ad7db34986e31c3011f0e4d92dd5dcd7a3155b0a642d5a68bc2d
                                                                                                                                                  • Opcode Fuzzy Hash: 287d2a55d9d3ecb5233d71342ec2901517daf8105f91caea0b2685fdb20393bf
                                                                                                                                                  • Instruction Fuzzy Hash: BD41D378600702DFE765CF29C490A67B7F9FF48714B108A6EE54787660E730E846CB50
                                                                                                                                                  Function 014EA470 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a835e91df2350cd0575f6ac37e6176cbbc88263c247e385cf4d048d7c5f677e6
                                                                                                                                                  • Instruction ID: 7c07b64aeda17f6a910a210d0b583d7a6df6cc021b36f19ecf5587843929d73d
                                                                                                                                                  • Opcode Fuzzy Hash: a835e91df2350cd0575f6ac37e6176cbbc88263c247e385cf4d048d7c5f677e6
                                                                                                                                                  • Instruction Fuzzy Hash: 3B41A032940215CFDF21DF68C499BAE7BF0FF59311F2501AAD422AB3A5DB349905CB64
                                                                                                                                                  Function 014C8BF0 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 10134770b7fa87481a8746e8c24fa2625f387fe72d20321f205931c8c4abc111
                                                                                                                                                  • Instruction ID: a08301cce4230ce7c2db0e5353b13ab54d60f11d9f01d494cab66d3efdd2aef6
                                                                                                                                                  • Opcode Fuzzy Hash: 10134770b7fa87481a8746e8c24fa2625f387fe72d20321f205931c8c4abc111
                                                                                                                                                  • Instruction Fuzzy Hash: 8B41053A900213CBDB74DF59C880A6ABBB1FBA5B14F15812FD5229F366C735D842CB90
                                                                                                                                                  Function 014B8918 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: beb5091d25889732c97d2e943bbb68a5c63f7745318ebae5a14656344d38c888
                                                                                                                                                  • Instruction ID: ca82bc5cafdaf4c036c6d26c066298dadc1ad792ad9a91c5418d3ff03e9a8f98
                                                                                                                                                  • Opcode Fuzzy Hash: beb5091d25889732c97d2e943bbb68a5c63f7745318ebae5a14656344d38c888
                                                                                                                                                  • Instruction Fuzzy Hash: E74131755083069EE712DF55C880A6BB7E9BF94B54F40092FF984DB160E730DE458BA3
                                                                                                                                                  Function 014BA020 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                                  • Instruction ID: 2ff46e594fc5a9128080b86ffe039df60b01eb41a834cee671c615dee949d776
                                                                                                                                                  • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                                  • Instruction Fuzzy Hash: E8413B71A00212DBEB22DE2984C07FEBBB1FB50754F25806BE9558F254E6328D41CBA1
                                                                                                                                                  Function 014C09AD Relevance: .1, Instructions: 122COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f3b9e557595ae0f9fb9b7872205232e153eb48d89fdd9a9a6e40fe3a7f18bcd5
                                                                                                                                                  • Instruction ID: ccd37401f468b02a39ba99c21598dc4ff4a354a051caea2f9dc46b23419d98fe
                                                                                                                                                  • Opcode Fuzzy Hash: f3b9e557595ae0f9fb9b7872205232e153eb48d89fdd9a9a6e40fe3a7f18bcd5
                                                                                                                                                  • Instruction Fuzzy Hash: E9415A79600601EFD761DF19C840B2ABBE4FF68B14F24866FE449CB261E771E942CB90
                                                                                                                                                  Function 014F0710 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                                  • Instruction ID: b81df03184ea044aebf2370e80fb1ae875a22e8446b9ee5c751cc8912f4f330d
                                                                                                                                                  • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                                  • Instruction Fuzzy Hash: D7412A75A00605EFDB24CF98C980AAABBF5FF58700B10496EE656D7362D330EA44CF50
                                                                                                                                                  Function 014C262C Relevance: .1, Instructions: 119COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: dad49466db10721dd63e25316d52abf8e1e1fb82d1940eba312638e8f2c8f75c
                                                                                                                                                  • Instruction ID: 5f5e317edcd57fa931b2cb7481c3aaabf75dd30a54fe2ce87c6d80756b092716
                                                                                                                                                  • Opcode Fuzzy Hash: dad49466db10721dd63e25316d52abf8e1e1fb82d1940eba312638e8f2c8f75c
                                                                                                                                                  • Instruction Fuzzy Hash: AC41B0B9601701CFCBA2EF29C980A59B7F1FF54B10F14866FD41A9B2B1DBB09941CB51
                                                                                                                                                  Function 014FC8F9 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d00abbf30af795fdc6bc161aeee392423431cddbb7a67bb7de93ad9eaf35a9e2
                                                                                                                                                  • Instruction ID: a16cfd89d674cf6742b0a5715b43b3a1889b5940a6181c7c3e642a061de0d5d5
                                                                                                                                                  • Opcode Fuzzy Hash: d00abbf30af795fdc6bc161aeee392423431cddbb7a67bb7de93ad9eaf35a9e2
                                                                                                                                                  • Instruction Fuzzy Hash: FE315AB1A00249DFDB12CF68D440B99BBF0FB49714F2085AED119EB361D7369906CF90
                                                                                                                                                  Function 015407C3 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 905ac3c4dd0a96fa0a4a2dba23174c44c3bb90cf8cb7d7682c0aec2091aabeed
                                                                                                                                                  • Instruction ID: 39c48f534a1f2c5efbade0f8f55c430806fdb201165b3b082504e6773bc4fd63
                                                                                                                                                  • Opcode Fuzzy Hash: 905ac3c4dd0a96fa0a4a2dba23174c44c3bb90cf8cb7d7682c0aec2091aabeed
                                                                                                                                                  • Instruction Fuzzy Hash: 3F419EB15043019FE760DF29C885B9BBBE8FF88614F104A2EF698DB291D7709904CB92
                                                                                                                                                  Function 014B80A0 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 87eda72f17ebe37a9bb1f567bf2f1237258aa7a43ac206558fe6654da1032eee
                                                                                                                                                  • Instruction ID: e090896890b638ea79abe4ff2fcff8dc19ab979c999b266747466ddee9569c2b
                                                                                                                                                  • Opcode Fuzzy Hash: 87eda72f17ebe37a9bb1f567bf2f1237258aa7a43ac206558fe6654da1032eee
                                                                                                                                                  • Instruction Fuzzy Hash: 9E41C471A06517DFDB01DF19C880AE9B7B9BF54760F14822BD815A72A0D730DD428BA0
                                                                                                                                                  Function 015405A7 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: acb863d7c5eabec97891bca8350f2776140ff1016aa0f338954df09725c52138
                                                                                                                                                  • Instruction ID: 2ea37646f461aa3dc4ea7e5b0de1c3c97724051c2e28fb37df8a87406f2a6d2e
                                                                                                                                                  • Opcode Fuzzy Hash: acb863d7c5eabec97891bca8350f2776140ff1016aa0f338954df09725c52138
                                                                                                                                                  • Instruction Fuzzy Hash: 8041C2726046429FD321DF68C850AAAB7E5FFC8704F24061DFA559B6D0E730E905C7A6
                                                                                                                                                  Function 014C4859 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c342ac641d0a4f9996fa2c399d10cae4fbfe3ff8db758024a64a07d5212685bd
                                                                                                                                                  • Instruction ID: 6b93a8fc01f59b29d95bf720bfe78695d1dd40030355e98a13df90a778ea99ba
                                                                                                                                                  • Opcode Fuzzy Hash: c342ac641d0a4f9996fa2c399d10cae4fbfe3ff8db758024a64a07d5212685bd
                                                                                                                                                  • Instruction Fuzzy Hash: 2A41E3752003118BD765CF28D9A4B6BBBE9FF90B60F18442EE6558B2B1D730D801CB51
                                                                                                                                                  Function 014B8B50 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1a99abf18405639492875e370e198194e2d7148923f8d972578846465a5252f4
                                                                                                                                                  • Instruction ID: 90e1bcf88361abf9b67161389fe9eb4c6cbdc7f125325d3be2d5f7d95058b515
                                                                                                                                                  • Opcode Fuzzy Hash: 1a99abf18405639492875e370e198194e2d7148923f8d972578846465a5252f4
                                                                                                                                                  • Instruction Fuzzy Hash: 7741AFB1A01206DFCB15DF69C9809DDB7F5FF98720B10862FD466AB360D7309901CB60
                                                                                                                                                  Function 014D02E1 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                                  • Instruction ID: 7e513d581c317ba43b18c9cda44be07eef5bce6dabafdfb339e050442ed7bdc0
                                                                                                                                                  • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                                  • Instruction Fuzzy Hash: 7E311532A00245ABDF228B6CCC50B9BBFE9AF54350F04416BF415EB3A2CB749845CBA0
                                                                                                                                                  Function 0156E3DB Relevance: .1, Instructions: 105COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c3efa3b4a10d3287c1c22ccf4876c568f724c3baca592c95cd47a0ad67c92969
                                                                                                                                                  • Instruction ID: 52c62830f88fb2a588439a449836f51b408e4422f9d56d8f6cd35d484d7cad23
                                                                                                                                                  • Opcode Fuzzy Hash: c3efa3b4a10d3287c1c22ccf4876c568f724c3baca592c95cd47a0ad67c92969
                                                                                                                                                  • Instruction Fuzzy Hash: 5E319675741706ABDB22DF658C91F6B76E9FB69B51F000029B600AF291DAB5DC00C7E0
                                                                                                                                                  Function 01574B4B Relevance: .1, Instructions: 104COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f470a94c6795c56fad49451cd78788d87b0eb812673ff50cbc04cd3d8c4e9e6a
                                                                                                                                                  • Instruction ID: 5e4ab65cd09b680dbf74478b268886912e719a4afd84e03b110a7947336dab64
                                                                                                                                                  • Opcode Fuzzy Hash: f470a94c6795c56fad49451cd78788d87b0eb812673ff50cbc04cd3d8c4e9e6a
                                                                                                                                                  • Instruction Fuzzy Hash: B931E2722052118FC721DF1DE892E2AB7E9FB84360F0A446EE9A98F251D730EC44DF91
                                                                                                                                                  Function 014C4260 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 169502c50bf8f9ce6063a55199974730ddb56541627df30fe443e592f13f46c9
                                                                                                                                                  • Instruction ID: 206da961b5e617e942837d20f9196f18c8b936b050b846b43f640e8c49b0e585
                                                                                                                                                  • Opcode Fuzzy Hash: 169502c50bf8f9ce6063a55199974730ddb56541627df30fe443e592f13f46c9
                                                                                                                                                  • Instruction Fuzzy Hash: 2941D376201B05DFD762DF28C590BDA7BE5BF56714F14441EE6598F2A0C730E805CB50
                                                                                                                                                  Function 01574BB0 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7e1a7c9e887752327fe9fde895957ea9bcbfc1e5f555f0bd98fd97c671ab0f84
                                                                                                                                                  • Instruction ID: 21bc515e6fc5e79eb069d8b90c0af108ac4aea630d82a54c255b3c66feddc8a9
                                                                                                                                                  • Opcode Fuzzy Hash: 7e1a7c9e887752327fe9fde895957ea9bcbfc1e5f555f0bd98fd97c671ab0f84
                                                                                                                                                  • Instruction Fuzzy Hash: 64318F716042018FD720DF29E892E2AB7E9FB84710F09496DF9659F255E730EC44CB91
                                                                                                                                                  Function 0153EB1D Relevance: .1, Instructions: 100COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 27a5d88f9c0619ab4a5a64e82180687ce83cb7ba5d457c3ee7393f51708ee01f
                                                                                                                                                  • Instruction ID: dcaa7d6e47dd31be90394f165a68a6c243c600467f7616b9fbcf364d97c55d06
                                                                                                                                                  • Opcode Fuzzy Hash: 27a5d88f9c0619ab4a5a64e82180687ce83cb7ba5d457c3ee7393f51708ee01f
                                                                                                                                                  • Instruction Fuzzy Hash: 1131F2712016869BF72B9B5DCD69F697BD8FB80744F1D00A4AB418F6E2DB38D842C631
                                                                                                                                                  Function 015861C3 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d7512a760e4a7af150b11da7264ca07105c6b4b0ef25931e0edc891880d482f6
                                                                                                                                                  • Instruction ID: 313e3c293d458b49c62134bdeee0ce812610ab8428118584d47c3f8d4fed16f1
                                                                                                                                                  • Opcode Fuzzy Hash: d7512a760e4a7af150b11da7264ca07105c6b4b0ef25931e0edc891880d482f6
                                                                                                                                                  • Instruction Fuzzy Hash: A431C475A00116EBDB15EF98CC40FAEB7B5FB48B40F4541A9E901AF284D770ED41CBA4
                                                                                                                                                  Function 0156483A Relevance: .1, Instructions: 96COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 63657846a891668d795d7f4e4a38afaa6cca9e96a5356295fdcda70f7633b922
                                                                                                                                                  • Instruction ID: 6f3420e7547d6e7bef8bf40891e4163e6e5f7ab29231d47c1403d58cca15121a
                                                                                                                                                  • Opcode Fuzzy Hash: 63657846a891668d795d7f4e4a38afaa6cca9e96a5356295fdcda70f7633b922
                                                                                                                                                  • Instruction Fuzzy Hash: E2316376A4012DABCF21DF55DC84BDEBBB9BB98710F1000A5A508A7260CB30DE91CF90
                                                                                                                                                  Function 014EEB20 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 48598478c547a1a4c35b889fd3dc1e2599c004bc84fdf4b5b23445d7e7e9f96c
                                                                                                                                                  • Instruction ID: 8334fe509a23e5f4533317fa68ae1f9c1f6963d066cb58ccb22737e830da0c0b
                                                                                                                                                  • Opcode Fuzzy Hash: 48598478c547a1a4c35b889fd3dc1e2599c004bc84fdf4b5b23445d7e7e9f96c
                                                                                                                                                  • Instruction Fuzzy Hash: 4031B572E00215AFDF21DFA9C844AAFBBF9EF54750F01446BE516EB260D6709E018BA0
                                                                                                                                                  Function 015860B8 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f4f1d1c4dfeccfc2a0a1b026c53f36d31bd747327dabcf8441e77bceede025bf
                                                                                                                                                  • Instruction ID: 038d686388d74888ad47e1d01fba74961fdf18208e1b6773ac5e64a7022feb32
                                                                                                                                                  • Opcode Fuzzy Hash: f4f1d1c4dfeccfc2a0a1b026c53f36d31bd747327dabcf8441e77bceede025bf
                                                                                                                                                  • Instruction Fuzzy Hash: A031C071A00606EFDB22AFA9C890B6EB7F9BB94754F040469E506EF352DA70DC018B90
                                                                                                                                                  Function 014C07AF Relevance: .1, Instructions: 95COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9eb821ac3db3ab2528448e952a40f88f5495c8ca8c56596fa56260b097d8c020
                                                                                                                                                  • Instruction ID: a624a6eb70595c409c862b7cb332231409261ac604c6febe4aadaca8d3e4548c
                                                                                                                                                  • Opcode Fuzzy Hash: 9eb821ac3db3ab2528448e952a40f88f5495c8ca8c56596fa56260b097d8c020
                                                                                                                                                  • Instruction Fuzzy Hash: 4E31B87EA04612DBD752DE59C88096B7BA5EFA4A50F01852EFD55A7320DA30DC018BF1
                                                                                                                                                  Function 014C8550 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1cb2dd86b79a69a3117da88368df25189d396c9d8b9ff5e478a524eaa321a81b
                                                                                                                                                  • Instruction ID: 1aab555ed0ddd6ffe29676b09a992e2fc1a3d9ef9e270d580026a79f77fd01f8
                                                                                                                                                  • Opcode Fuzzy Hash: 1cb2dd86b79a69a3117da88368df25189d396c9d8b9ff5e478a524eaa321a81b
                                                                                                                                                  • Instruction Fuzzy Hash: DD31C2765053128FE760CF19C840B6BBBE5FF98B00F04496EE9849B3A0D775E844CB91
                                                                                                                                                  Function 014FA6C7 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                                  • Instruction ID: ed31484a2b2a2fe04aa9588518ac8d5a07466613601f9e45259d05a139c8b5e7
                                                                                                                                                  • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                                  • Instruction Fuzzy Hash: 36312DB2B04B01AFD761CF69DD40F57BBF8BB48650F14092EA69AC7761E630E900CB60
                                                                                                                                                  Function 0156EBD0 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 795106d9a81826937874c13dd5b730b9996f8c6e5d46945389d51866e965fe7c
                                                                                                                                                  • Instruction ID: 4a411b630ad2ec232a8c628848206aac8a00b181549adafd66b1ff14b1032ad9
                                                                                                                                                  • Opcode Fuzzy Hash: 795106d9a81826937874c13dd5b730b9996f8c6e5d46945389d51866e965fe7c
                                                                                                                                                  • Instruction Fuzzy Hash: A231EAB5506302CFCB11DF1AC48186ABBF9FF89604F444AAEE488AF215D330DA44CBC2
                                                                                                                                                  Function 014E438F Relevance: .1, Instructions: 89COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 75f17667f4f24692ecc8ad09a5e9f840d1c77f4777e9bf8ab0a4ebbda27ccfb9
                                                                                                                                                  • Instruction ID: da8a1d3afdba2c6565e627cfc6f63b1f7180b1dab339e245cc52200459e8c38e
                                                                                                                                                  • Opcode Fuzzy Hash: 75f17667f4f24692ecc8ad09a5e9f840d1c77f4777e9bf8ab0a4ebbda27ccfb9
                                                                                                                                                  • Instruction Fuzzy Hash: FE31D632B002059FD720DFA9C985A6E77F9BF94705F14853BD106D76A4D730EA45CB90
                                                                                                                                                  Function 014BCB7E Relevance: .1, Instructions: 89COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                                  • Instruction ID: 79fd96c48dc3b68d39e74992fcaac0796cd565813b804c8c6dd5af7ffe4d3344
                                                                                                                                                  • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                                  • Instruction Fuzzy Hash: C8210B72E012566AE7129FB98481BEFBBB5AF14740F0584369E15EB350E270C90087B0
                                                                                                                                                  Function 014BC156 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b805b5f9f5cb7f5f0180fb4cb2a93bd60b806f3b01e4d901ae8e097bcbe4258f
                                                                                                                                                  • Instruction ID: edce57cd9ab9c22f688a854dc2e6e2478ef537e0989bcd35d233d39b68850b46
                                                                                                                                                  • Opcode Fuzzy Hash: b805b5f9f5cb7f5f0180fb4cb2a93bd60b806f3b01e4d901ae8e097bcbe4258f
                                                                                                                                                  • Instruction Fuzzy Hash: 17317D715002018BEB32AF58CC94BAD77B4FF50304F4486ADDD469F396EA74D986CB90
                                                                                                                                                  Function 0157C3CD Relevance: .1, Instructions: 88COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                                  • Instruction ID: c195a03f2d3250a7851f3221230fd6bc31278151428c35fd1bf9ab2b5abdb460
                                                                                                                                                  • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                                  • Instruction Fuzzy Hash: 1B212B36600653A6CB15AF959801EBBBBB5FF90711F40841FFA958F691E735D940C3A0
                                                                                                                                                  Function 014BE420 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: fd5c35da20970ddb97f4d6dd7bb765b36232af6f4a39a326908eafe3db62a4ec
                                                                                                                                                  • Instruction ID: 43610b97ebc7bb75cef745dd17296064fc305d523c5b950b5134034f46049407
                                                                                                                                                  • Opcode Fuzzy Hash: fd5c35da20970ddb97f4d6dd7bb765b36232af6f4a39a326908eafe3db62a4ec
                                                                                                                                                  • Instruction Fuzzy Hash: 2831F932A0111C9BDB31DF19CC81FEE77B9EB65740F0101A6E645BB2A0D6B49E818FB1
                                                                                                                                                  Function 014F4588 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                                  • Instruction ID: 8eb96333828e9cedb36460617f61f608d77c5a6b669202f4518a82b1ae2c3793
                                                                                                                                                  • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                                  • Instruction Fuzzy Hash: 75219131A00609EBDB11CF59C980A9FBBB5FF58314F14806AEE199F351DA74EA058B90
                                                                                                                                                  Function 014F44B0 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 51b2feb0a19ec20e779260072f0923e00ed0afd937cc9b0d73ba91dd057c7194
                                                                                                                                                  • Instruction ID: 4288306c8f0fa17530e879d6a7b8b0a4175eb2913b32bb7227a01466e013a04a
                                                                                                                                                  • Opcode Fuzzy Hash: 51b2feb0a19ec20e779260072f0923e00ed0afd937cc9b0d73ba91dd057c7194
                                                                                                                                                  • Instruction Fuzzy Hash: 5D21C0726047059BCB22DF59C884B6BB7E4FF88760F05451EFB549B350CB30E9018BA2
                                                                                                                                                  Function 014BE388 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                                  • Instruction ID: 8fea5e5ede8ee358ca938b900658388d26cb66f9548723a329d8b0c7abeb2374
                                                                                                                                                  • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                                  • Instruction Fuzzy Hash: 7F31AF31600605EFE721CF69C884FAAB7F9FF85354F1045AAE5129B291E734EE02CB60
                                                                                                                                                  Function 0153E609 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 571ecdc94e87be6430f2926c00b4ab30b9fe2f43297baa086cdf264f720226f0
                                                                                                                                                  • Instruction ID: f4059e7ff3ae9d28fb19a2780721faf64f041ef112d4b3e3ffe00e23d0fd768f
                                                                                                                                                  • Opcode Fuzzy Hash: 571ecdc94e87be6430f2926c00b4ab30b9fe2f43297baa086cdf264f720226f0
                                                                                                                                                  • Instruction Fuzzy Hash: FF317A75A002069FCB14CF58D8859AEB7F5FFC4314B15445AE80A9F391E771EA50CB90
                                                                                                                                                  Function 015406F1 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 64a0077419a2ddcd412d2568362d58917f43994d88d849af97d49d6813bb5b7c
                                                                                                                                                  • Instruction ID: f1eb1a950aa4b4580e3b0c2b13826cb6c7a5fdd5b9030e31894f18d3606a7066
                                                                                                                                                  • Opcode Fuzzy Hash: 64a0077419a2ddcd412d2568362d58917f43994d88d849af97d49d6813bb5b7c
                                                                                                                                                  • Instruction Fuzzy Hash: A021B1719001299BCF21DF59C881AFEB7F4FF48744F51006AF941AB290D738AD41CBA1
                                                                                                                                                  Function 0154019F Relevance: .1, Instructions: 78COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7ad3439eecbd7e6aa5ee4c610ec4d1ae826a43257c40434d2fbf7b8e2a6fe21f
                                                                                                                                                  • Instruction ID: 99968323a70225632c48a919418211f25585b6e6604c6762b34cd10226e51d42
                                                                                                                                                  • Opcode Fuzzy Hash: 7ad3439eecbd7e6aa5ee4c610ec4d1ae826a43257c40434d2fbf7b8e2a6fe21f
                                                                                                                                                  • Instruction Fuzzy Hash: 1721BC71600605AFDB15DFADC840F6AB7B8FF98744F14006AFA04DB6A0D634ED00CBA4
                                                                                                                                                  Function 01540283 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d82601ed69f2251baff45eddc3a3ed7d6ea1d1487f31b31ac2740f752520805f
                                                                                                                                                  • Instruction ID: bcec635c2d5edf0ba1e4a42b199f7bcebfe4961b497f2526043ca1b378c43a12
                                                                                                                                                  • Opcode Fuzzy Hash: d82601ed69f2251baff45eddc3a3ed7d6ea1d1487f31b31ac2740f752520805f
                                                                                                                                                  • Instruction Fuzzy Hash: C621B6725043469BDB11DF5AC848F9FBFDCBFA1658F18045ABE80CB2A1D734D505C6A2
                                                                                                                                                  Function 014E2835 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2ada5a08676d76c40b03927e67a3c1ef8723da859edf28e24089d95bff52d489
                                                                                                                                                  • Instruction ID: 491bcd55cc892597a53aad75c3d9c5b2520bdaf897df99d9e1b88e6a5fa7d976
                                                                                                                                                  • Opcode Fuzzy Hash: 2ada5a08676d76c40b03927e67a3c1ef8723da859edf28e24089d95bff52d489
                                                                                                                                                  • Instruction Fuzzy Hash: 73212C326456929BF722972D8C18F193BD4BF41775F280366FA209F6F2D7B8C8028541
                                                                                                                                                  Function 014FA30B Relevance: .1, Instructions: 70COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 71e4e3dd590a513c275f2601fb2ecd8c88acb4032a7a5ebacd095343b0efcc19
                                                                                                                                                  • Instruction ID: 91d7376a8b1ef3b938f873649207eec34e0945a1e29802a233d030c3e6f66a14
                                                                                                                                                  • Opcode Fuzzy Hash: 71e4e3dd590a513c275f2601fb2ecd8c88acb4032a7a5ebacd095343b0efcc19
                                                                                                                                                  • Instruction Fuzzy Hash: 6121B879200A01AFCB25DF2ACC40B46B7F5FF58B44F24846DA509CBB62E331E942CB94
                                                                                                                                                  Function 0157A49A Relevance: .1, Instructions: 70COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d8798f641b3dd2bd1572bdffb9ab450de368b6a5a66afdae24a2a07b5fffdf72
                                                                                                                                                  • Instruction ID: 9f71bd4a3230d56c6a49d9550f56dec2c69c866a206430a3c9e9035fbce10108
                                                                                                                                                  • Opcode Fuzzy Hash: d8798f641b3dd2bd1572bdffb9ab450de368b6a5a66afdae24a2a07b5fffdf72
                                                                                                                                                  • Instruction Fuzzy Hash: F7110A76340A12BFEB225659BC02F2F7699EBE4B70F190428B718CF190DB70DC0187A5
                                                                                                                                                  Function 01540946 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6c99b727ca2e9c1d51def5eefcf7a183873b8ff6273919a69c39298b2ced5941
                                                                                                                                                  • Instruction ID: 2787e99227b5b2e660a308ea2bd7c45a5c772d44eab6d04baa4883f708757264
                                                                                                                                                  • Opcode Fuzzy Hash: 6c99b727ca2e9c1d51def5eefcf7a183873b8ff6273919a69c39298b2ced5941
                                                                                                                                                  • Instruction Fuzzy Hash: C321FAB1E01209ABCB64DFAAD9809EEFBF8FF98714F10012FE505AB254D7709945CB64
                                                                                                                                                  Function 015580A8 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                                  • Instruction ID: ecc801c5a207d5dbe5ca01c2270270d9a5a9da878ed25be6165eca5cf60c2847
                                                                                                                                                  • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                                  • Instruction Fuzzy Hash: AC218E72A00209EFDF129F99CC50BAEBBB9FF98310F20481AF900AB261D734D9509B50
                                                                                                                                                  Function 014F0124 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                                  • Instruction ID: ff9131cd42a7de7c2b1ef5be2d764f8b72ff54785d110cc2e84500a6a3a7359b
                                                                                                                                                  • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                                  • Instruction Fuzzy Hash: 6611EF72600605AFE7229F89CD80F9BBBB9EB90754F10402EF7048F2A0D672ED44CB60
                                                                                                                                                  Function 014C8770 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6e4f4f150c330d69990daeff7faaa11a90f71928c6498f41507dc3c37c59640c
                                                                                                                                                  • Instruction ID: 6efd282655192346b9d740582c9d2f867153a46ae8ae1c856fc16ee9d2513ed5
                                                                                                                                                  • Opcode Fuzzy Hash: 6e4f4f150c330d69990daeff7faaa11a90f71928c6498f41507dc3c37c59640c
                                                                                                                                                  • Instruction Fuzzy Hash: B71186397016129FDB51CF4DC9C0A57BBE5AF56B50B18407EED08DF315E6B2D9018790
                                                                                                                                                  Function 014FAAEE Relevance: .1, Instructions: 68COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                                                  • Instruction ID: 133cb680d89aa5b72b431cec1e7721d697c17cd5007f3c55bbd1446270dfbcfe
                                                                                                                                                  • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                                                  • Instruction Fuzzy Hash: 35217C72600649DFD7259F4AC540A66BBE6FF94B50F25887EEB498B724C730ED01CB40
                                                                                                                                                  Function 014C80E9 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d3ee1fd0542ac099a05d14216ae4a8757efe2bd0988b4aa94408215aec0531f5
                                                                                                                                                  • Instruction ID: 7bf824168206b3b7d9ba26cbc8dbd661701dfe7b27226408646a19969f62e07a
                                                                                                                                                  • Opcode Fuzzy Hash: d3ee1fd0542ac099a05d14216ae4a8757efe2bd0988b4aa94408215aec0531f5
                                                                                                                                                  • Instruction Fuzzy Hash: 43218175A00206DFCB14CF58C591A6EBBF5FB88714F24416ED105AB325CB71AD06CBD0
                                                                                                                                                  Function 014F674D Relevance: .1, Instructions: 65COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9b15bad23069829cb8bc2662d3a3e4f2d6a33042f74ad7479a18a32c4ceb23bd
                                                                                                                                                  • Instruction ID: 61ad76e4327e86b2da388695c9d303cd18fbee7c31c83e5c473f6212bb85a62c
                                                                                                                                                  • Opcode Fuzzy Hash: 9b15bad23069829cb8bc2662d3a3e4f2d6a33042f74ad7479a18a32c4ceb23bd
                                                                                                                                                  • Instruction Fuzzy Hash: 5F219075500A01EFD7209F69C880F66B7F8FF84250F01882EE69AC7360DB30B840CBA1
                                                                                                                                                  Function 01556870 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 66cca547e82f75ec025b010112f304b8cdbf8ad7ed805794feedfdd9342e6857
                                                                                                                                                  • Instruction ID: e7c08dd81da03600cc518ba7ae5eccf2e4b703518133ee09ffdb10c536b3fde1
                                                                                                                                                  • Opcode Fuzzy Hash: 66cca547e82f75ec025b010112f304b8cdbf8ad7ed805794feedfdd9342e6857
                                                                                                                                                  • Instruction Fuzzy Hash: 5311C172240545EFC762DBAAC950F9A77F8FB95A60F51402AFA01DF260DB70E901C7A0
                                                                                                                                                  Function 014EE8C0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 71a1e9a9241010ade3aa783fa64c5a1866b77704b1286e87735036e847bc55fc
                                                                                                                                                  • Instruction ID: 82a8c6dbee31bcf7ca2e8eb7f1b799201974c0527b93abf7210f27b46fa291f9
                                                                                                                                                  • Opcode Fuzzy Hash: 71a1e9a9241010ade3aa783fa64c5a1866b77704b1286e87735036e847bc55fc
                                                                                                                                                  • Instruction Fuzzy Hash: 4F1108733041249BCF19DB29CD95A6B72E7FBD5370B35492ED9229F3A0E9309802C390
                                                                                                                                                  Function 014F66B0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b1279e13a0e0f192fb1e004d352e94a0eff4ac22e4d52f1774694a953bb5fadd
                                                                                                                                                  • Instruction ID: ee101ac6a41ac34c0c995c18233b42a9e0008e9eb28d7e30e38a47c43e3a7190
                                                                                                                                                  • Opcode Fuzzy Hash: b1279e13a0e0f192fb1e004d352e94a0eff4ac22e4d52f1774694a953bb5fadd
                                                                                                                                                  • Instruction Fuzzy Hash: 4A119E76A01205EFCB25CF9AC590E5ABBF8EF94650B06417FDA059B325E670DD01CBA0
                                                                                                                                                  Function 0158A8E4 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                                  • Instruction ID: 0de9114d251d0d747ac41b7fe05230e033630bc189d6acf7f3b5ac0ef6664c8e
                                                                                                                                                  • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                                  • Instruction Fuzzy Hash: 8311E236A0090AAFDB19DB58C801B9DBBF5FFC4210F058269E845AB340E671AD01CB80
                                                                                                                                                  Function 014C0AD0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                                                  • Instruction ID: f2e080415e3dbdba59443968c338609cf0f2e447f55e000e97058eb7c39d655f
                                                                                                                                                  • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                                                  • Instruction Fuzzy Hash: 2B2106B5A00B059FD3A0CF29C440B52BBF4FB48B20F10492EE98ACBB50E371E814CB90
                                                                                                                                                  Function 0154E7E1 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                                  • Instruction ID: a7127ebed9afbcc243711cc3b15dba8dbac9619eb37ad44d7cf63e46b929bb66
                                                                                                                                                  • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                                  • Instruction Fuzzy Hash: 9F11BC32600601EBFB219B49C842B1ABBA5FB91758F05882DEA089F160DB38DC41DB90
                                                                                                                                                  Function 014E27ED Relevance: .1, Instructions: 58COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: afc10e6856e65e64f3118051c80b4a998ed06a07e15b5969b1e9ed0985ceb7bc
                                                                                                                                                  • Instruction ID: b58955dbdca755c588a9c6e22574666742a3249613e85663085963d4fc2f4820
                                                                                                                                                  • Opcode Fuzzy Hash: afc10e6856e65e64f3118051c80b4a998ed06a07e15b5969b1e9ed0985ceb7bc
                                                                                                                                                  • Instruction Fuzzy Hash: 9F014432205645ABE316A22EC888F6B6BCCFF91350F05006AF9019B6A1DA70DC01C2B1
                                                                                                                                                  Function 014C4690 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 22b1b9e395efef45990eeb7ff857ed222754c92559140afe752c9466711303f6
                                                                                                                                                  • Instruction ID: 70dfc0789e98c5a72593730447b5a7d343ce33fff25fa88cb3d6d437c7c0b8f2
                                                                                                                                                  • Opcode Fuzzy Hash: 22b1b9e395efef45990eeb7ff857ed222754c92559140afe752c9466711303f6
                                                                                                                                                  • Instruction Fuzzy Hash: CF11A07A202645AFDB65CF99DA50B577BA4EB95F64F18411FF9088B760C770E800CF60
                                                                                                                                                  Function 01594B00 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a1c4f4625a59f1c6a530cf29a1ab5af3c9f84b695e4d40a8b589f68da73940ab
                                                                                                                                                  • Instruction ID: 61ae46e5894dbb9192ad8b640f0652a5127dee0d2b97cbea8c239388e127e5be
                                                                                                                                                  • Opcode Fuzzy Hash: a1c4f4625a59f1c6a530cf29a1ab5af3c9f84b695e4d40a8b589f68da73940ab
                                                                                                                                                  • Instruction Fuzzy Hash: C611C636200A119FDF21DA69D944F5BB7E6FFD4711F154419E6928B650DA30AC03CB91
                                                                                                                                                  Function 014F6620 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4d0279bdad1bf31dd84c315e5d0e6848d7b12513e9a18cd1040473988e3b611f
                                                                                                                                                  • Instruction ID: 0dff97c9587bd2b3abf78c5396dc3db97f34fa980466c035ebdc434ad333699e
                                                                                                                                                  • Opcode Fuzzy Hash: 4d0279bdad1bf31dd84c315e5d0e6848d7b12513e9a18cd1040473988e3b611f
                                                                                                                                                  • Instruction Fuzzy Hash: 5C118276A00615ABEB21DF5AC9C0B5EFBB9FF54B50F52045EDA05AB320D734AD018B50
                                                                                                                                                  Function 014EEA2E Relevance: .1, Instructions: 56COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0c1f4fd529719d430a3c6b1a94092c1cb0345042da9d63d2e1693e89a0ccd64f
                                                                                                                                                  • Instruction ID: 2a6b8a3211d9635a8d681c0955ae3c377ed4a4b761bcae4be745770b0769faf8
                                                                                                                                                  • Opcode Fuzzy Hash: 0c1f4fd529719d430a3c6b1a94092c1cb0345042da9d63d2e1693e89a0ccd64f
                                                                                                                                                  • Instruction Fuzzy Hash: 22012E7012010A9FC729DB1AD488F22BBFAFB91714F25826FE0049B231E770EC46CB94
                                                                                                                                                  Function 014EE53E Relevance: .1, Instructions: 55COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                                  • Instruction ID: d23a6ef516ad1035c00cd9083dc9d6582b1c8a0c223672d59f319a242b4f3751
                                                                                                                                                  • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                                  • Instruction Fuzzy Hash: 6C11C6732016D29BEB229B5C9958B2937E4BB02744F1904A7D9419B6A2F338C843C751
                                                                                                                                                  Function 0154E75D Relevance: .1, Instructions: 54COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                                  • Instruction ID: 8c4382135b16e752e58cef068aa03fcd94367bd47721f7c1e124962016fe425e
                                                                                                                                                  • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                                  • Instruction Fuzzy Hash: E701D236601146EFE721DF59C802F5ABAB9FB90B68F058429EA05AF260E779DD40C790
                                                                                                                                                  Function 014BA250 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                                  • Instruction ID: 269e6447ab00c96a3ec706983d6ee18758a1febee4cdaf28146237b6493158bc
                                                                                                                                                  • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                                  • Instruction Fuzzy Hash: A2010431404B229BDB258F199880AA37BA4EB55760B10892EFC958B3A1D731D401CBB0
                                                                                                                                                  Function 01594940 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ffb7863bfdcb955bda4fa52a719a1a80fe20c05f552f41126adf2363980c570d
                                                                                                                                                  • Instruction ID: 76c15046a2e6945360d9b08ee42908cacee987f9144a676853db7e1959d84f7a
                                                                                                                                                  • Opcode Fuzzy Hash: ffb7863bfdcb955bda4fa52a719a1a80fe20c05f552f41126adf2363980c570d
                                                                                                                                                  • Instruction Fuzzy Hash: D50122734412019FCB32DF1CCA40E16B7A8FB91770B254229E9A89F1A2D730DC02CBC2
                                                                                                                                                  Function 0153E1D0 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f4814b9af771212c7a8f1dbb81598fde47c810be4d71edcaaccc7843cd96e366
                                                                                                                                                  • Instruction ID: e8818ce4e27b764c9942d5ec0baeffc2c0bbc9fa51a8927d056436aabeea73f5
                                                                                                                                                  • Opcode Fuzzy Hash: f4814b9af771212c7a8f1dbb81598fde47c810be4d71edcaaccc7843cd96e366
                                                                                                                                                  • Instruction Fuzzy Hash: 0611A136241241EFDB15EF19CD91F56BBB8FF94B44F100069F9059F661C235ED01CAA0
                                                                                                                                                  Function 014C6259 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e2927ce5c68545c2deaf060514a83dc95c9f3c5f3fd4765588cf5b5b05b00d43
                                                                                                                                                  • Instruction ID: 71421bcad63f932aa18c544fcfc93ac10990259c8121ee6ca873d696f39a066e
                                                                                                                                                  • Opcode Fuzzy Hash: e2927ce5c68545c2deaf060514a83dc95c9f3c5f3fd4765588cf5b5b05b00d43
                                                                                                                                                  • Instruction Fuzzy Hash: F711CE71502229ABDF66EF64CC52FE9B3B4BF44710F5081D9A318AA1E0DB309E81CF84
                                                                                                                                                  Function 01546050 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2b58c22e7ded71042378438ead8a194cf0c2388a9e587687598867098592915b
                                                                                                                                                  • Instruction ID: b57965df964105eb5c02aeaf2a85c28ad3dddffa62de86ff3189b73445dd59ed
                                                                                                                                                  • Opcode Fuzzy Hash: 2b58c22e7ded71042378438ead8a194cf0c2388a9e587687598867098592915b
                                                                                                                                                  • Instruction Fuzzy Hash: 96111B72900019ABCB16DB95CC84EDF77BCFF58258F054166A906A7211EA34AA15CBE0
                                                                                                                                                  Function 014C208A Relevance: .0, Instructions: 50COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                                  • Instruction ID: 9e76da230d4d2178d6997827991946a5e30e16fbe73791ef199ffd7c36740f2a
                                                                                                                                                  • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                                  • Instruction Fuzzy Hash: 3401F5766001119BEF528E2ED880F5677A6BFD4A00F1540ABEE058F26ADAF18C82C790
                                                                                                                                                  Function 01556500 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f5224e3de2b477a164d2f43c433b7dc2d90ac07f32659f4ce5c842301097ea7b
                                                                                                                                                  • Instruction ID: cf6c6dd3d3ea1875dae7398b0937841b1fadc88292395b6e27efbf54fadab79e
                                                                                                                                                  • Opcode Fuzzy Hash: f5224e3de2b477a164d2f43c433b7dc2d90ac07f32659f4ce5c842301097ea7b
                                                                                                                                                  • Instruction Fuzzy Hash: CF11E5326401859FC741CF28C450BA5B7B5FB56318F88815AE8448F315D731EC41CBA0
                                                                                                                                                  Function 0154C810 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 203dc12d598750cdfb08741cd5ad5ea7b168646011e6d386914e4456df60196d
                                                                                                                                                  • Instruction ID: dbb483512b58dc230dc686b63ac8f8c9fdd8cba6915e5c26178b4e2de35facf2
                                                                                                                                                  • Opcode Fuzzy Hash: 203dc12d598750cdfb08741cd5ad5ea7b168646011e6d386914e4456df60196d
                                                                                                                                                  • Instruction Fuzzy Hash: 0911ECB1E012099FDB04DF99D545A9EBBF4FF58250F10406AA905EB351D674EA018BA4
                                                                                                                                                  Function 0156EA60 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ed228d0a4bb73029d87fcf7bdac64db0461f3ee76babf0dc0cb7e4ac6d72792c
                                                                                                                                                  • Instruction ID: 54201c58d6e1a1d0c5e7bbf501e7bd9a49edd03cdedfc854ae83f8d4581de42b
                                                                                                                                                  • Opcode Fuzzy Hash: ed228d0a4bb73029d87fcf7bdac64db0461f3ee76babf0dc0cb7e4ac6d72792c
                                                                                                                                                  • Instruction Fuzzy Hash: 6501F1390422119BCB32EB1A8459E7EBBEDFF61A50B54482EE1012F220CBB09C41CBD1
                                                                                                                                                  Function 014BC020 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                                  • Instruction ID: e801284e443cc451a1d4e189a7732693c92c0f21ff2a37b782515a40d451cd0c
                                                                                                                                                  • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                                  • Instruction Fuzzy Hash: 1C01F9721007059FEB2396AAC4C4AA777F9FFD5210F05481EA5558B650DA74E402C760
                                                                                                                                                  Function 015020F0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0ef9f981aaa8683775b1b00a162af6ff4543299c0eae8ef9a46b87a2835d0cbc
                                                                                                                                                  • Instruction ID: d2f1ebfc9d731f9a9afea631d99f14527e4bc541917a27750c3f3efda5cae984
                                                                                                                                                  • Opcode Fuzzy Hash: 0ef9f981aaa8683775b1b00a162af6ff4543299c0eae8ef9a46b87a2835d0cbc
                                                                                                                                                  • Instruction Fuzzy Hash: 96118C75A0120EAFDF16EFA4C854FAE7BB5FB84340F004059FA019B290DB35AE12CB90
                                                                                                                                                  Function 014FE5CF Relevance: .0, Instructions: 49COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 41cc309f2d837c00964062f5ae75421020aec571f181b55b6b7230a79528ee8e
                                                                                                                                                  • Instruction ID: 39dab7bf82d760d6ade0f5a3c3150235e3b310ebdb3d36bee18c01e583713cf7
                                                                                                                                                  • Opcode Fuzzy Hash: 41cc309f2d837c00964062f5ae75421020aec571f181b55b6b7230a79528ee8e
                                                                                                                                                  • Instruction Fuzzy Hash: 2801D4B2200901BBC611AB6ACD90E57B7ECFBA4654700062EF50597571DB74EC01C6E0
                                                                                                                                                  Function 015569C0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e52fc90d4c4016d508436f2e841384e40c45ad10ef763ab046da4ae443bf4e8b
                                                                                                                                                  • Instruction ID: bb91ecb22d024611598ee7d809f4cf48ba95323e63a4fe440b08698f88e86d57
                                                                                                                                                  • Opcode Fuzzy Hash: e52fc90d4c4016d508436f2e841384e40c45ad10ef763ab046da4ae443bf4e8b
                                                                                                                                                  • Instruction Fuzzy Hash: E9014032214242DFC360DF7AC44496BBBE8FF94620F91451AED548F1C0D7309901C7D1
                                                                                                                                                  Function 0154C460 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3e3ee17a607d13cc5d7060476b138b98bfd44235763423c7cc7529040655497e
                                                                                                                                                  • Instruction ID: 8bec5c0354ddd92800e5df42a17e03000370cd82c2047606a84e4f1d981f5c7f
                                                                                                                                                  • Opcode Fuzzy Hash: 3e3ee17a607d13cc5d7060476b138b98bfd44235763423c7cc7529040655497e
                                                                                                                                                  • Instruction Fuzzy Hash: 44115775A0220AABDB15EFA8C944EAE7BB5FB98244F004059B9019B390DA35EA11CB90
                                                                                                                                                  Function 0154C97C Relevance: .0, Instructions: 48COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4e93682daa6bc691be7216081cdd7d3188922886a5cee61238825b164cc06d45
                                                                                                                                                  • Instruction ID: 27f357d3a01bad793fe03c64636aa8b4e9bffa33cf16261c0864fab7cd5f35ee
                                                                                                                                                  • Opcode Fuzzy Hash: 4e93682daa6bc691be7216081cdd7d3188922886a5cee61238825b164cc06d45
                                                                                                                                                  • Instruction Fuzzy Hash: 4C1139B56193099FC710DF69D441A5BBBE4FF99710F00491EBA98DB391E630E901CB92
                                                                                                                                                  Function 0154CA11 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3a4224036c7fa908fb76b6259c3f365c876bf18b97164bbd56a45ec75f66bcb6
                                                                                                                                                  • Instruction ID: 1462f6512dee8ad9316f12664f41794130705dcab0059ecc404750490d9cf5fa
                                                                                                                                                  • Opcode Fuzzy Hash: 3a4224036c7fa908fb76b6259c3f365c876bf18b97164bbd56a45ec75f66bcb6
                                                                                                                                                  • Instruction Fuzzy Hash: C81139B16193099FC710DF6AD441A5BBBE4FF99750F00891EB958DB3A0E670E901CB92
                                                                                                                                                  Function 014DE016 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                                  • Instruction ID: f7bd67e844afff4fab7aa4978ae4c5fdb49fda5896f7eb923b0190e2cb3f458c
                                                                                                                                                  • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                                  • Instruction Fuzzy Hash: 3B01BCB22005809FEB23871DC928F2A7BD8FB44744F0904A2F905DF6A2C638DC41C621
                                                                                                                                                  Function 014B826B Relevance: .0, Instructions: 46COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e75209389a8e9d67a19dd3a3cdd2618ec2183c4700ff84a8f0d083caa82d63e5
                                                                                                                                                  • Instruction ID: 82fcefecbc5835f0a156bfc07ea157ba4f7ca6e4c4f59c2b7ded80fecb2164a8
                                                                                                                                                  • Opcode Fuzzy Hash: e75209389a8e9d67a19dd3a3cdd2618ec2183c4700ff84a8f0d083caa82d63e5
                                                                                                                                                  • Instruction Fuzzy Hash: E10184356119069BD718DB6AD8859EF77ADFF90610B15402A9901AB754DE30E902C6A0
                                                                                                                                                  Function 0156EB50 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 2f20d629432e89396de2f1604c24a9d6df331e4a4f7452c1843b739719993ec3
                                                                                                                                                  • Instruction ID: 88b77c6de1859a2db2725ccf12b590ceb9db500c234753710c2589d27ca4c623
                                                                                                                                                  • Opcode Fuzzy Hash: 2f20d629432e89396de2f1604c24a9d6df331e4a4f7452c1843b739719993ec3
                                                                                                                                                  • Instruction Fuzzy Hash: A101A7712817019FD3319B1AD851F56BAE8FF65F50F11482EF606AF3A0D6B09841CB94
                                                                                                                                                  Function 014C2582 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3ff4e2faffd264cee91745d86ea888142e7f2da5283fef3a2a6a4d6add2d1d46
                                                                                                                                                  • Instruction ID: d9ebb6f41f124ac8ded8ed01f8176caacacc3b4657e5752551a4042142d4b122
                                                                                                                                                  • Opcode Fuzzy Hash: 3ff4e2faffd264cee91745d86ea888142e7f2da5283fef3a2a6a4d6add2d1d46
                                                                                                                                                  • Instruction Fuzzy Hash: 9DF0F932741610B7C7319F5B8D50F577AA9EB94FA0F00402EA60597610CA70ED01C6B0
                                                                                                                                                  Function 014EC073 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                                  • Instruction ID: 4cc0ceccde15d317186be3d027ae14c49c45a4f57fcfdbbf0a5d0498356d38ea
                                                                                                                                                  • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                                  • Instruction Fuzzy Hash: 79F0C2F2600611ABD324CF8DDC40E57FBEADBD1A90F048169E509CB320EA31ED04CB90
                                                                                                                                                  Function 0159634F Relevance: .0, Instructions: 43COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 795fd0d0033ad34a5f06b5be4dbcd6d1beaf4b4f88316eee7f46aa4d3925b73e
                                                                                                                                                  • Instruction ID: 48151bf18ef8478dd18ff7694970e059fdc47c10b7a3ee15a2739ed2e12d5839
                                                                                                                                                  • Opcode Fuzzy Hash: 795fd0d0033ad34a5f06b5be4dbcd6d1beaf4b4f88316eee7f46aa4d3925b73e
                                                                                                                                                  • Instruction Fuzzy Hash: 9F014475E1020AEFDB04DFA9D551A9EB7F8FF58304F10405AF914EB390D6749A01CBA1
                                                                                                                                                  Function 014BC310 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                                  • Instruction ID: 3bf3d1eddf6729b916f6f8a606953c5163aa756f1f9daa568875034bca78713e
                                                                                                                                                  • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                                  • Instruction Fuzzy Hash: 55F0FC732066239BD732579E48C0BABA5959FE1A64F59003BE2059B264C9748D0256F1
                                                                                                                                                  Function 0159625D Relevance: .0, Instructions: 43COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cc82f5702b9f7f2d53ffce89062216cff00ffbd5e8d6ebf42a610a00b92d261e
                                                                                                                                                  • Instruction ID: 2db9ab5bea8008056b11d6e68fb70334fe6028979e81b27eb63feba4b505f138
                                                                                                                                                  • Opcode Fuzzy Hash: cc82f5702b9f7f2d53ffce89062216cff00ffbd5e8d6ebf42a610a00b92d261e
                                                                                                                                                  • Instruction Fuzzy Hash: F7012C71A1020AAFDF04DFA9D551AAEB7F8FF58304F10406AF914EB391D674AA018BA1
                                                                                                                                                  Function 015962D6 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 47d2d053d18153ff4586256eba5334a0bf85fefc4ec0cef02cbd1b0b67031dae
                                                                                                                                                  • Instruction ID: 88932a40c76f70708ba50a9196231b1751866f15baa517074b9cfe6fe626ea99
                                                                                                                                                  • Opcode Fuzzy Hash: 47d2d053d18153ff4586256eba5334a0bf85fefc4ec0cef02cbd1b0b67031dae
                                                                                                                                                  • Instruction Fuzzy Hash: 1E014471E0020AEFDB04DFA9D555A9EBBF8FF58304F50405AF914EB390D6749D058BA1
                                                                                                                                                  Function 014FCA6F Relevance: .0, Instructions: 42COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                                  • Instruction ID: 86e8296ac4f48f3cb8ede3291156250048bc194198ebd47559241b49585cffeb
                                                                                                                                                  • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                                  • Instruction Fuzzy Hash: 3B014432A006899BE326C75DC804F9ABBD8FF91718F0840AAFB048FBB1D678D801C611
                                                                                                                                                  Function 015961E5 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3d0e07694db626b6f815c33e5b43453c3da043cdbd75729a0492cb50adce445f
                                                                                                                                                  • Instruction ID: 02377892264641d123e448f1280c91a9ff391fff4f1f8770628cdecf070bb4af
                                                                                                                                                  • Opcode Fuzzy Hash: 3d0e07694db626b6f815c33e5b43453c3da043cdbd75729a0492cb50adce445f
                                                                                                                                                  • Instruction Fuzzy Hash: A4018F71A012499FDF00DFA9D455EEEBBF8FF58710F14005AE500AB280D774EA01CB95
                                                                                                                                                  Function 015463C0 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                                  • Instruction ID: 9c448956d6948b3cdcfeaa830875144007861bcfabfe33ef4643aa77bd6bec5a
                                                                                                                                                  • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                                  • Instruction Fuzzy Hash: 6CF01D7220001EBFEF019F95DD80DEF7BBEFB69698B114129FA1196160D631DD21ABA0
                                                                                                                                                  Function 0154A4B0 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9755aa51700f6fb21cea26c30a3eb95467d1e80d7b0a7a629b1d860fb2ce461b
                                                                                                                                                  • Instruction ID: 5312586e6062f4a3451eb334f48f515f1ffd4f6d9d1b13e6516ac24949258d81
                                                                                                                                                  • Opcode Fuzzy Hash: 9755aa51700f6fb21cea26c30a3eb95467d1e80d7b0a7a629b1d860fb2ce461b
                                                                                                                                                  • Instruction Fuzzy Hash: AA018936110109ABCF129E84D940EDE3F66FB4C658F068105FE196A220C332D970EF81
                                                                                                                                                  Function 014BC0F0 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9e059226e62233a5c64c8cc2d8a26e9b4757c90b69293c21648c3785c9e1f2da
                                                                                                                                                  • Instruction ID: cf2bc8c86043aea9f91b997654e339e5a88cf5d6a5dad31375c4a909f9a11609
                                                                                                                                                  • Opcode Fuzzy Hash: 9e059226e62233a5c64c8cc2d8a26e9b4757c90b69293c21648c3785c9e1f2da
                                                                                                                                                  • Instruction Fuzzy Hash: B0F02B712142415BF75496198CC1FA33695E7D0661F25802BE7059F7F1EA70DC018BB4
                                                                                                                                                  Function 014F656A Relevance: .0, Instructions: 39COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 94446d6bceec2aa0ad740827a43af87018833a3ca53b00765cd02204de5ded1a
                                                                                                                                                  • Instruction ID: 4f453335bc0b068720e4a61efec139cb1a623a5909680c51d8038a2722e830e9
                                                                                                                                                  • Opcode Fuzzy Hash: 94446d6bceec2aa0ad740827a43af87018833a3ca53b00765cd02204de5ded1a
                                                                                                                                                  • Instruction Fuzzy Hash: 31018170200A819FF7229B7CDD4CB2A37A4BB90B04F490699BA019F7E6D738D4428610
                                                                                                                                                  Function 0156437C Relevance: .0, Instructions: 37COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                                  • Instruction ID: 473796ac06219363a316a2cc819d3b2257efc3491ff3b69ce32db7bb692848b9
                                                                                                                                                  • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                                  • Instruction Fuzzy Hash: E7F0E93534191347EB35AA2E9420B2EAA9EBFA0911B15052D9601CF650DF20D88087C0
                                                                                                                                                  Function 0154E872 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                                  • Instruction ID: d573f0d5405a92a551d019cc9d77aa7c2ac8dbcc3eaa61f5f2ae9999e29ae78a
                                                                                                                                                  • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                                  • Instruction Fuzzy Hash: 7BF05E737116129BFB219F4ECC81F1AB7A8FFD5A64F190469A604AF260C774EC0287D0
                                                                                                                                                  Function 0154C89D Relevance: .0, Instructions: 36COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 690504ef2d51e58fa571cf464d85b6120dbffa1c4eaa54db3943fc819c6ba39e
                                                                                                                                                  • Instruction ID: 42230a4be5e9b341bd34d7a9bc987e6bac9eb4c91c0e74ebba5f043d1a3a4191
                                                                                                                                                  • Opcode Fuzzy Hash: 690504ef2d51e58fa571cf464d85b6120dbffa1c4eaa54db3943fc819c6ba39e
                                                                                                                                                  • Instruction Fuzzy Hash: 36F0AF706063059FD310EF69C545A1ABBE4FF98714F40465AB898DF390E634E901CB96
                                                                                                                                                  Function 014F0854 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                                  • Instruction ID: 90c58e0cf1c7decc4cc9cca6596b6695857cbb94689ee3af65c3aab44fa6cc56
                                                                                                                                                  • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                                  • Instruction Fuzzy Hash: 3DF0B472610204AFE714DF26CC01F96B6EAEFA8750F14807DA645D7271FAB0ED01C655
                                                                                                                                                  Function 0154C912 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 988c83fc202e2212c686fd146d2b54258a31eb79b86750030f1f87212390fb09
                                                                                                                                                  • Instruction ID: 05ddd8b8f1364e5a8f0bf56f1266846c834c574724c83c05c2f05ee5cfed2272
                                                                                                                                                  • Opcode Fuzzy Hash: 988c83fc202e2212c686fd146d2b54258a31eb79b86750030f1f87212390fb09
                                                                                                                                                  • Instruction Fuzzy Hash: FDF0AF74A0220AAFCB04EFA9C515A5EB7B4FF58300F00806AA915EB385DA34EA01CB50
                                                                                                                                                  Function 014C47FB Relevance: .0, Instructions: 33COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 00a2a68b0c2bac113a72f3e6cac25272dc1e8be3093dabd7dd5d528984a63a5c
                                                                                                                                                  • Instruction ID: 1bdb9eef8a66959e409efc5b8062039affa002b09a4ce6a4f6af873ee4d87020
                                                                                                                                                  • Opcode Fuzzy Hash: 00a2a68b0c2bac113a72f3e6cac25272dc1e8be3093dabd7dd5d528984a63a5c
                                                                                                                                                  • Instruction Fuzzy Hash: 93F0903D9166D19EEBA28B5CC674B237BD49B00F20F0CA96FD54987632C734D880C671
                                                                                                                                                  Function 01580115 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 60f38d8454e0c470014253969befc52d50b5dd9ddbcf000ff1ff72332a97013e
                                                                                                                                                  • Instruction ID: 84edb778247664b6bd7b94016ec7df8b784a33081fef3a1be7c3a2e782c96a2f
                                                                                                                                                  • Opcode Fuzzy Hash: 60f38d8454e0c470014253969befc52d50b5dd9ddbcf000ff1ff72332a97013e
                                                                                                                                                  • Instruction Fuzzy Hash: B4F0A7764196C206DB727B2C7CD52E97B65B791120F1A1445E4B17F249C674848BD324
                                                                                                                                                  Function 014FC5ED Relevance: .0, Instructions: 31COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5047616c6c7019ab82e9e6d7d68cde133957697ae9696005d21d569fdc2e4350
                                                                                                                                                  • Instruction ID: 86a9dd071c9c1c08efed840994017eccc105a8cc58de6999c4724b3e904f963e
                                                                                                                                                  • Opcode Fuzzy Hash: 5047616c6c7019ab82e9e6d7d68cde133957697ae9696005d21d569fdc2e4350
                                                                                                                                                  • Instruction Fuzzy Hash: 17F0E2715196599FFB22971CC1C8F537BD4AB44BA0F08942FD64E87732C370E882CA91
                                                                                                                                                  Function 01502619 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                                  • Instruction ID: 113cb6509082f8d626361dbfadc4c5a8e670d6406f53c060a9a37ce20d6103a2
                                                                                                                                                  • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                                  • Instruction Fuzzy Hash: 39E0D8323006012BE712AF998CD4F47776EEFE2B14F04407DB5045F292CEE2DC0982A4
                                                                                                                                                  Function 01556030 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                                  • Instruction ID: f28fbac3f4179ce7141c90c48bbe07995c71e0c03a0b79226ddf6d740d535f76
                                                                                                                                                  • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                                  • Instruction Fuzzy Hash: 53F0A0721002449FE3209F0AD854F52B7F8FB15364F81C02AEA088F171D339EC40CBA0
                                                                                                                                                  Function 014C0710 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                                  • Instruction ID: bffd4aa67456c4e33ae8e1666d49f33d78142a64db0ba06ffe3e895b5c792645
                                                                                                                                                  • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                                  • Instruction Fuzzy Hash: E0F0E53D205341DBEB5BCF19D050AE97BA4FB51760F04006AFC428B321D731E982CB50
                                                                                                                                                  Function 014F49D0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                                  • Instruction ID: a6dfe492a0161f220a75a0c556042d4c4902e3fe91f3df5b57f43e05dc3b3949
                                                                                                                                                  • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                                  • Instruction Fuzzy Hash: CEE0D832A44545ABD7212A5D8800B677BA5DBE07A0F19042FE3008B370DF74DC45C7D8
                                                                                                                                                  Function 01594164 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 17277344ec226b7b55924bd9eae48cf7cc69517aafbd89b43c6316b9cbe6a304
                                                                                                                                                  • Instruction ID: 0f9e67e001bb454022cc9f06fb8b10334aca63ac85507138d905893c6aa07c15
                                                                                                                                                  • Opcode Fuzzy Hash: 17277344ec226b7b55924bd9eae48cf7cc69517aafbd89b43c6316b9cbe6a304
                                                                                                                                                  • Instruction Fuzzy Hash: B4F0E571A256924FEF72D72CE340B5E77E0BB10A70F0A0555D4008F912C320DC42C652
                                                                                                                                                  Function 0156678E Relevance: .0, Instructions: 27COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                                  • Instruction ID: f485c5d034b9023405f9a2e3c1b7a7cccc2b4f26e554aefbbf563eafad8e5227
                                                                                                                                                  • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                                  • Instruction Fuzzy Hash: 71E0DF32A00110BFDB21A79A8D11F9BBEBCEBA0EA0F050059B600EB1E0E930DE00D6D0
                                                                                                                                                  Function 015908C0 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                                                  • Instruction ID: 23b2f98ca620e651de074d70f4675146d6fac5df80af16bb8c5e31946105aaaf
                                                                                                                                                  • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                                                  • Instruction Fuzzy Hash: A3E09B727407518BCF258A1DC140A57B7ECFFD5A60F158469EA054F653C231F843C6D1
                                                                                                                                                  Function 014C25E0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: a7e3f538cdb976533feb2e5fd9fc52af06c423058fbcb0e494e01cfbb986bcfa
                                                                                                                                                  • Instruction ID: aa4894acf6895aeaebbb53d8df8aa023f93d12be611f37f604411c8b85d7cb78
                                                                                                                                                  • Opcode Fuzzy Hash: a7e3f538cdb976533feb2e5fd9fc52af06c423058fbcb0e494e01cfbb986bcfa
                                                                                                                                                  • Instruction Fuzzy Hash: A6E09272100A549BC722BF2ADD15F9A779AEBB0764F01451EF1565B1A0CA74A810C794
                                                                                                                                                  Function 0157A456 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                                  • Instruction ID: 88b6bf15e199ab3124bf7d6ad8839ebcd65914c2c8cfa04b229102174c1dfb61
                                                                                                                                                  • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                                  • Instruction Fuzzy Hash: 26E09231010A12DFE7326F2BD84CB5A7AE1BFA0711F188C2DA196164B0C77598C0CA40
                                                                                                                                                  Function 01544000 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                                  • Instruction ID: aab5814863884e6aff59de73619c9812e2c1427cda4c78e30cc5f21739eb6cc9
                                                                                                                                                  • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                                  • Instruction Fuzzy Hash: F5E0C2343403058FE715CF19C040B667BB6BFD5A14F28C068A9488F205EB33E852CB40
                                                                                                                                                  Function 014B823B Relevance: .0, Instructions: 21COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                                  • Instruction ID: 1936a82dac6a1bde9ce7541ba32ce059c1320db92f1996da0fc82f118c625a5a
                                                                                                                                                  • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                                  • Instruction Fuzzy Hash: BAE08631000912DEDB363F1ADC44B9176A5FB94B10F15481AE181090B486745882CA54
                                                                                                                                                  Function 014C2050 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f03b0136f3d994ed752ee2a5f7b6ffcbabbd083b0e97d69443adcef592cbf468
                                                                                                                                                  • Instruction ID: 46b80b0e75646f0a3a1389e24e28a1891fce7ba5003c9cdc0850b416cc38f7aa
                                                                                                                                                  • Opcode Fuzzy Hash: f03b0136f3d994ed752ee2a5f7b6ffcbabbd083b0e97d69443adcef592cbf468
                                                                                                                                                  • Instruction Fuzzy Hash: F4E0C2332005606BC711FF6EDD60F9A739EEFB4A60F05012AF1558B2A0CA70AC00C7A4
                                                                                                                                                  Function 014FE59C Relevance: .0, Instructions: 16COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                                  • Instruction ID: b0d904694901c38aefa184310d18d677d2646a3578d560bfdc221cac7425e7b3
                                                                                                                                                  • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                                  • Instruction Fuzzy Hash: 7CD0A7731045105BD7329A1DFC00FC333D8BB98720F050459B004C7050C360AC41C644
                                                                                                                                                  Function 0153E908 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                                  • Instruction ID: 8204f5d8abe3eae0400fce73774e45fdae6f80e49acf33e669f3f86466413dc3
                                                                                                                                                  • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                                  • Instruction Fuzzy Hash: 80E0EC769506849BDF52DF9AC640F5EBBF9FB94B40F150058A1086F661C734AD00CB40
                                                                                                                                                  Function 014BA0E3 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                                  • Instruction ID: 0d18ffaad898a61beaafa678b2d83a0fc6d83b33f7b0a4463deabec3320479ce
                                                                                                                                                  • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                                  • Instruction Fuzzy Hash: 38D0223321207093CF285B666850FA37905EB80A90F2A002F340A93920C0258C43C2F0
                                                                                                                                                  Function 014FA830 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                                  • Instruction ID: 7ae4a03f1d98e3534fe9183e3997cb9006c1cf8fee18c044dd0df0b64bfc7b11
                                                                                                                                                  • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                                  • Instruction Fuzzy Hash: 48D012771D054DBBCB119F66DC01F957BA9E764BA0F444021B504875A0C63AE950D584
                                                                                                                                                  Function 014FCA24 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c21b081e3706e8271cff28528e2bbefb0659d72126854395aa7c1341f44f00d7
                                                                                                                                                  • Instruction ID: 5e604231cdad27a1588e1379530856331bd4cdee1248f570f0725172eca87bb8
                                                                                                                                                  • Opcode Fuzzy Hash: c21b081e3706e8271cff28528e2bbefb0659d72126854395aa7c1341f44f00d7
                                                                                                                                                  • Instruction Fuzzy Hash: 4AD0A731D01105CBDF1ACF09C560E2E3770FB50640B40006DF70156631D335FC01C650
                                                                                                                                                  Function 014D02A0 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                                                  • Instruction ID: 31ff91e01a7c57e99a2c017d4b4abdb049c3f4baad93b826be3f8074cdf7d625
                                                                                                                                                  • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                                                  • Instruction Fuzzy Hash: 16D09235612E80CFDA1ACB0CC5A4B1633A4BB84A44F8108A1E401CBB62D638D940CA00
                                                                                                                                                  Function 014FC700 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                                  • Instruction ID: fbf3b140db6e623a7792bdd825de106a29df664e3d42d7283411faefc9c4b5c0
                                                                                                                                                  • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                                  • Instruction Fuzzy Hash: 4CC01233150644AFC7119F95CD01F0177A9E7A8B40F000021F20447570C531E810D644
                                                                                                                                                  Function 014E0310 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                  • Instruction ID: 9f0235a702a708d39202e701816be9907f52e6e32bdfd58d99b815e73182b976
                                                                                                                                                  • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                  • Instruction Fuzzy Hash: 91D01236200248EFCB01DF41C890DAA776AFBD8710F108019FD29076118A75ED62DA50
                                                                                                                                                  Function 014C0750 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                                  • Instruction ID: 05d35147dc6a5baf7320beaf95e226fd3d6b1f3e89679dac2ffa89b942ccebc1
                                                                                                                                                  • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                                  • Instruction Fuzzy Hash: ACC048B9701A428FEF16DF2ED6A4F4977E4FB54744F150890E805CBB22E624E802CA11
                                                                                                                                                  Function 01502890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                  • API String ID: 48624451-2108815105
                                                                                                                                                  • Opcode ID: 57d263cd988dbf31153f3a2b301b9abd976da9d4ac9febdd7f43408763d4f9cf
                                                                                                                                                  • Instruction ID: 87c43435daf2d2cddb78b8c6302e407564e26de4672fa612a8844a8be2819d3e
                                                                                                                                                  • Opcode Fuzzy Hash: 57d263cd988dbf31153f3a2b301b9abd976da9d4ac9febdd7f43408763d4f9cf
                                                                                                                                                  • Instruction Fuzzy Hash: CC51E7B5A00216BFDF12DF9C888497EFBB8BB48240B50856AF595DB681D334DE4087A0
                                                                                                                                                  Function 01572410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                  • API String ID: 48624451-2108815105
                                                                                                                                                  • Opcode ID: d972de9552710ccdbf90bac2948d10db8015f00412d26a4f0f363df096c4d2a1
                                                                                                                                                  • Instruction ID: 28ff908f17f9ab197f56593d3315c124ff904ff3614003348120ae43704804d2
                                                                                                                                                  • Opcode Fuzzy Hash: d972de9552710ccdbf90bac2948d10db8015f00412d26a4f0f363df096c4d2a1
                                                                                                                                                  • Instruction Fuzzy Hash: 94510671A00646AEDB31DF5DD89197FBBF9FB44200F14885AF496CF681E674EA408760
                                                                                                                                                  Function 014F7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 015346FC
                                                                                                                                                  • ExecuteOptions, xrefs: 015346A0
                                                                                                                                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01534742
                                                                                                                                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01534655
                                                                                                                                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 01534787
                                                                                                                                                  • Execute=1, xrefs: 01534713
                                                                                                                                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01534725
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                                  • API String ID: 0-484625025
                                                                                                                                                  • Opcode ID: 6bcb95e63858da480d3370b38802e54d5aba63581e648d1755ca652d725f9f53
                                                                                                                                                  • Instruction ID: 60a37e4aec9290f5feffb8e457e33c70195dfb0bf9fc64c682a09791b0979a7d
                                                                                                                                                  • Opcode Fuzzy Hash: 6bcb95e63858da480d3370b38802e54d5aba63581e648d1755ca652d725f9f53
                                                                                                                                                  • Instruction Fuzzy Hash: AE516B3160021A7BEF11ABA8DC85FAE77A8FF58311F04009ED709AB3E1D774AA418F50
                                                                                                                                                  Function 01596940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                                                                                                  • Instruction ID: 656e41ebfdb083983b50d28f42c6bd578920d53436209b6be900b12f921011a5
                                                                                                                                                  • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                                                                                                  • Instruction Fuzzy Hash: EE020271508342AFDB05CF18C990A6FBBE5FFC8704F04892DB9999B264DB31E909CB52
                                                                                                                                                  Function 0150B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __aulldvrm
                                                                                                                                                  • String ID: +$-$0$0
                                                                                                                                                  • API String ID: 1302938615-699404926
                                                                                                                                                  • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                                  • Instruction ID: 334fe83910928d6cf5ad61de890243589b73202e95aae8f7d7a59f337ccca8d1
                                                                                                                                                  • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                                  • Instruction Fuzzy Hash: B181A178E0524A9EEF2A8EECC8D17BEBBB1BF85310F184659D851AF2D1C73499408B51
                                                                                                                                                  Function 015720E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                  • String ID: %%%u$[$]:%u
                                                                                                                                                  • API String ID: 48624451-2819853543
                                                                                                                                                  • Opcode ID: 0a0c5dacdd6b6d4b907f20c5610e46d0ee070395ad42130ef379904313cb6695
                                                                                                                                                  • Instruction ID: 7cf2d6908a08dfaafc311a12ee73acafc895574572fadcf2ff0f827560509cc8
                                                                                                                                                  • Opcode Fuzzy Hash: 0a0c5dacdd6b6d4b907f20c5610e46d0ee070395ad42130ef379904313cb6695
                                                                                                                                                  • Instruction Fuzzy Hash: 1A21777AE0015AABDB11DF79EC45AFE7BF8FF54650F440116E945D7240E730DA018BA1
                                                                                                                                                  Function 014EF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 015302E7
                                                                                                                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 015302BD
                                                                                                                                                  • RTL: Re-Waiting, xrefs: 0153031E
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                                  • API String ID: 0-2474120054
                                                                                                                                                  • Opcode ID: 72e13f2fca4ea2d4cfa59237e8c8b335e0122585ad62d0d86c00a4828f17fa51
                                                                                                                                                  • Instruction ID: 8cde6061a7a5cedf9eecb6b1350da4004bdcfcbf1aafa0841cebe60853103372
                                                                                                                                                  • Opcode Fuzzy Hash: 72e13f2fca4ea2d4cfa59237e8c8b335e0122585ad62d0d86c00a4828f17fa51
                                                                                                                                                  • Instruction Fuzzy Hash: 8FE19F706087429FE725CF28C888B2ABBE0BF84315F144A5EF5A5CB2E1D774D949CB52
                                                                                                                                                  Function 014FBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • RTL: Resource at %p, xrefs: 01537B8E
                                                                                                                                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01537B7F
                                                                                                                                                  • RTL: Re-Waiting, xrefs: 01537BAC
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                  • API String ID: 0-871070163
                                                                                                                                                  • Opcode ID: 615bf301befa89942cdecaab2b12b756cf4ea90cd0f09903b4aba89f499093f3
                                                                                                                                                  • Instruction ID: f3186b15b3639f91dc1f4ebf81e4ee43efd88b648f1fbdcbc34f414585162243
                                                                                                                                                  • Opcode Fuzzy Hash: 615bf301befa89942cdecaab2b12b756cf4ea90cd0f09903b4aba89f499093f3
                                                                                                                                                  • Instruction Fuzzy Hash: CD41E0357047038BD725CE29CC50B6BB7E5FB99720F100A1EEA56DB390EB71E4058B91
                                                                                                                                                  Function 014FB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0153728C
                                                                                                                                                  Strings
                                                                                                                                                  • RTL: Resource at %p, xrefs: 015372A3
                                                                                                                                                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01537294
                                                                                                                                                  • RTL: Re-Waiting, xrefs: 015372C1
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                  • API String ID: 885266447-605551621
                                                                                                                                                  • Opcode ID: b51002da45935eeaca7f713cbc5959e34bcbba8734991b7e8c38e5a29234cbfa
                                                                                                                                                  • Instruction ID: ffd2f9eaa1ea7b434c8b91206e5a6c13e0571422f175dcf4879166f205afce46
                                                                                                                                                  • Opcode Fuzzy Hash: b51002da45935eeaca7f713cbc5959e34bcbba8734991b7e8c38e5a29234cbfa
                                                                                                                                                  • Instruction Fuzzy Hash: 6041EF71B00203ABD721CE29CD41F6AB7A5FB99714F10062EFA55AB390DB30F8528BD1
                                                                                                                                                  Function 01572300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                  • String ID: %%%u$]:%u
                                                                                                                                                  • API String ID: 48624451-3050659472
                                                                                                                                                  • Opcode ID: 521f5792b0a08c239c478b1a1e0e31c831e57d06688c6fcac13926d9685c08a8
                                                                                                                                                  • Instruction ID: d170f31d320889194b18de4c7cb270ac6eab0ff8c46947abdc564c9e41cec5dc
                                                                                                                                                  • Opcode Fuzzy Hash: 521f5792b0a08c239c478b1a1e0e31c831e57d06688c6fcac13926d9685c08a8
                                                                                                                                                  • Instruction Fuzzy Hash: 12317372A002199FDB21DF2DDC41BEEB7F8FF54610F55455AE949E7240EB30EA448BA0
                                                                                                                                                  Function 01507D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __aulldvrm
                                                                                                                                                  • String ID: +$-
                                                                                                                                                  • API String ID: 1302938615-2137968064
                                                                                                                                                  • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                                  • Instruction ID: 6d66f495753db6c7517da0a1462ee779aabad5edf07b2f9b9c571a2a56f1e59b
                                                                                                                                                  • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                                  • Instruction Fuzzy Hash: A0919471E002169FDB26DFEDC891ABEBBA5BF48320F14451EE9A5AF2C0D730AD418751
                                                                                                                                                  Function 014C9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, Offset: 01490000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_1490000_RegSvcs.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $$@
                                                                                                                                                  • API String ID: 0-1194432280
                                                                                                                                                  • Opcode ID: 1d1e424058aa2be34acb3fab0089622776e77cd40c8a6cde1400d1ae54e212ec
                                                                                                                                                  • Instruction ID: 41dd9fc8cfb01e9e109066b8c90629ce59e93c5a1bf648ceb04c49bc5840b1b4
                                                                                                                                                  • Opcode Fuzzy Hash: 1d1e424058aa2be34acb3fab0089622776e77cd40c8a6cde1400d1ae54e212ec
                                                                                                                                                  • Instruction Fuzzy Hash: B2812B76D002699BDB71CB54CC45BEEBAB4BB49714F0441DAEA19BB290D7309E84CFA0

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:1.5%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                  Signature Coverage:11.4%
                                                                                                                                                  Total number of Nodes:79
                                                                                                                                                  Total number of Limit Nodes:9
                                                                                                                                                  execution_graph 20207 fcadbac 20208 fcadbb1 20207->20208 20241 fcadbb6 20208->20241 20242 fca3b72 20208->20242 20210 fcadc2c 20211 fcadc85 20210->20211 20213 fcadc69 20210->20213 20214 fcadc54 20210->20214 20210->20241 20256 fcabab2 NtProtectVirtualMemory 20211->20256 20217 fcadc6e 20213->20217 20218 fcadc80 20213->20218 20252 fcabab2 NtProtectVirtualMemory 20214->20252 20215 fcadc8d 20257 fca5102 ObtainUserAgentString NtProtectVirtualMemory 20215->20257 20254 fcabab2 NtProtectVirtualMemory 20217->20254 20218->20211 20219 fcadc97 20218->20219 20223 fcadcbe 20219->20223 20224 fcadc9c 20219->20224 20221 fcadc5c 20253 fca4ee2 ObtainUserAgentString NtProtectVirtualMemory 20221->20253 20228 fcadcd9 20223->20228 20229 fcadcc7 20223->20229 20223->20241 20246 fcabab2 NtProtectVirtualMemory 20224->20246 20226 fcadc76 20255 fca4fc2 ObtainUserAgentString NtProtectVirtualMemory 20226->20255 20228->20241 20260 fcabab2 NtProtectVirtualMemory 20228->20260 20258 fcabab2 NtProtectVirtualMemory 20229->20258 20232 fcadccf 20259 fca52f2 ObtainUserAgentString NtProtectVirtualMemory 20232->20259 20234 fcadcac 20247 fca4de2 ObtainUserAgentString 20234->20247 20236 fcadce5 20261 fca5712 ObtainUserAgentString NtProtectVirtualMemory 20236->20261 20239 fcadcb4 20248 fca1412 20239->20248 20243 fca3b93 20242->20243 20244 fca3cb5 CreateMutexExW 20243->20244 20245 fca3cce 20243->20245 20244->20245 20245->20210 20246->20234 20247->20239 20250 fca1440 20248->20250 20249 fca1473 20249->20241 20250->20249 20251 fca144d CreateThread 20250->20251 20251->20241 20252->20221 20253->20241 20254->20226 20255->20241 20256->20215 20257->20241 20258->20232 20259->20241 20260->20236 20261->20241 20262 fca12dd 20265 fca131a 20262->20265 20263 fca13fa 20264 fca1328 SleepEx 20264->20264 20264->20265 20265->20263 20265->20264 20269 fcabf12 7 API calls 20265->20269 20270 fca2432 NtCreateFile 20265->20270 20271 fca10f2 6 API calls 20265->20271 20269->20265 20270->20265 20271->20265 20272 fcacf82 20273 fcacfb8 20272->20273 20275 fcad081 20273->20275 20283 fcad022 20273->20283 20284 fca95b2 20273->20284 20276 fcad134 20275->20276 20278 fcad117 getaddrinfo 20275->20278 20275->20283 20279 fcad1b2 20276->20279 20276->20283 20287 fca9732 20276->20287 20278->20276 20279->20283 20290 fca96b2 20279->20290 20281 fcad7f4 setsockopt recv 20281->20283 20282 fcad729 20282->20281 20282->20283 20285 fca960a socket 20284->20285 20286 fca95ec 20284->20286 20285->20275 20286->20285 20288 fca976a 20287->20288 20289 fca9788 connect 20287->20289 20288->20289 20289->20279 20291 fca96e7 20290->20291 20292 fca9705 send 20290->20292 20291->20292 20292->20282 20293 fca78c2 20295 fca7934 20293->20295 20294 fca79a6 20295->20294 20296 fca7995 ObtainUserAgentString 20295->20296 20296->20294 20297 fcade12 20298 fcade45 NtProtectVirtualMemory 20297->20298 20301 fcac942 20297->20301 20300 fcade70 20298->20300 20302 fcac967 20301->20302 20302->20298 20303 fcac232 20305 fcac25c 20303->20305 20306 fcac334 20303->20306 20304 fcac410 NtCreateFile 20304->20306 20305->20304 20305->20306

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 0FCACF82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 0 fcacf82-fcacfb6 1 fcacfb8-fcacfbc 0->1 2 fcacfd6-fcacfd9 0->2 1->2 3 fcacfbe-fcacfc2 1->3 4 fcad8fe-fcad90c 2->4 5 fcacfdf-fcacfed 2->5 3->2 6 fcacfc4-fcacfc8 3->6 7 fcacff3-fcacff7 5->7 8 fcad8f6-fcad8f7 5->8 6->2 11 fcacfca-fcacfce 6->11 9 fcacff9-fcacffd 7->9 10 fcacfff-fcad000 7->10 8->4 9->10 12 fcad00a-fcad010 9->12 10->12 11->2 13 fcacfd0-fcacfd4 11->13 14 fcad03a-fcad060 12->14 15 fcad012-fcad020 12->15 13->2 13->5 17 fcad068-fcad07c call fca95b2 14->17 18 fcad062-fcad066 14->18 15->14 16 fcad022-fcad026 15->16 16->8 19 fcad02c-fcad035 16->19 22 fcad081-fcad0a2 17->22 18->17 20 fcad0a8-fcad0ab 18->20 19->8 23 fcad0b1-fcad0b8 20->23 24 fcad144-fcad150 20->24 22->20 25 fcad8ee-fcad8ef 22->25 27 fcad0ba-fcad0dc call fcac942 23->27 28 fcad0e2-fcad0f5 23->28 24->25 26 fcad156-fcad165 24->26 25->8 30 fcad17f-fcad18f 26->30 31 fcad167-fcad178 call fca9552 26->31 27->28 28->25 29 fcad0fb-fcad101 28->29 29->25 33 fcad107-fcad109 29->33 35 fcad191-fcad1ad call fca9732 30->35 36 fcad1e5-fcad21b 30->36 31->30 33->25 40 fcad10f-fcad111 33->40 47 fcad1b2-fcad1da 35->47 38 fcad22d-fcad231 36->38 39 fcad21d-fcad22b 36->39 44 fcad233-fcad245 38->44 45 fcad247-fcad24b 38->45 43 fcad27f-fcad280 39->43 40->25 46 fcad117-fcad132 getaddrinfo 40->46 51 fcad283-fcad2e0 call fcadd62 call fcaa482 call fca9e72 call fcae002 43->51 44->43 48 fcad24d-fcad25f 45->48 49 fcad261-fcad265 45->49 46->24 50 fcad134-fcad13c 46->50 47->36 52 fcad1dc-fcad1e1 47->52 48->43 53 fcad26d-fcad279 49->53 54 fcad267-fcad26b 49->54 50->24 63 fcad2e2-fcad2e6 51->63 64 fcad2f4-fcad354 call fcadd92 51->64 52->36 53->43 54->51 54->53 63->64 65 fcad2e8-fcad2ef call fcaa042 63->65 69 fcad35a-fcad396 call fcadd62 call fcae262 call fcae002 64->69 70 fcad48c-fcad4b8 call fcadd62 call fcae262 64->70 65->64 84 fcad3bb-fcad3e9 call fcae262 * 2 69->84 85 fcad398-fcad3b7 call fcae262 call fcae002 69->85 79 fcad4ba-fcad4d5 70->79 80 fcad4d9-fcad590 call fcae262 * 3 call fcae002 * 2 call fcaa482 70->80 79->80 110 fcad595-fcad5b9 call fcae262 80->110 101 fcad3eb-fcad410 call fcae002 call fcae262 84->101 102 fcad415-fcad41d 84->102 85->84 101->102 105 fcad41f-fcad425 102->105 106 fcad442-fcad448 102->106 107 fcad467-fcad487 call fcae262 105->107 108 fcad427-fcad43d 105->108 109 fcad44e-fcad456 106->109 106->110 107->110 108->110 109->110 113 fcad45c-fcad45d 109->113 120 fcad5bb-fcad5cc call fcae262 call fcae002 110->120 121 fcad5d1-fcad6ad call fcae262 * 7 call fcae002 call fcadd62 call fcae002 call fca9e72 call fcaa042 110->121 113->107 132 fcad6af-fcad6b3 120->132 121->132 135 fcad6ff-fcad72d call fca96b2 132->135 136 fcad6b5-fcad6fa call fca9382 call fca97b2 132->136 144 fcad72f-fcad735 135->144 145 fcad75d-fcad761 135->145 153 fcad8e6-fcad8e7 136->153 144->145 148 fcad737-fcad74c 144->148 149 fcad90d-fcad913 145->149 150 fcad767-fcad76b 145->150 148->145 154 fcad74e-fcad754 148->154 155 fcad779-fcad784 149->155 156 fcad919-fcad920 149->156 157 fcad8aa-fcad8df call fca97b2 150->157 158 fcad771-fcad773 150->158 153->25 154->145 163 fcad756 154->163 159 fcad786-fcad793 155->159 160 fcad795-fcad796 155->160 156->159 157->153 158->155 158->157 159->160 164 fcad79c-fcad7a0 159->164 160->164 163->145 167 fcad7a2-fcad7af 164->167 168 fcad7b1-fcad7b2 164->168 167->168 170 fcad7b8-fcad7c4 167->170 168->170 173 fcad7c6-fcad7ef call fcadd92 call fcadd62 170->173 174 fcad7f4-fcad861 setsockopt recv 170->174 173->174 177 fcad8a3-fcad8a4 174->177 178 fcad863 174->178 177->157 178->177 181 fcad865-fcad86a 178->181 181->177 184 fcad86c-fcad872 181->184 184->177 186 fcad874-fcad8a1 184->186 186->177 186->178
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157647117.000000000FBD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FBD0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_fbd0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: getaddrinforecvsetsockopt
                                                                                                                                                  • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                                                                                                                  • API String ID: 1564272048-1117930895
                                                                                                                                                  • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                                  • Instruction ID: 76ece1f9142cd564bd100dcf28e93fd7bcb1c593ac783d3437248406908800cf
                                                                                                                                                  • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                                  • Instruction Fuzzy Hash: CD529D30614B098BCB29EF68C4857E9B7E1FB54308F50466EC4ABCB647DE35B549CB81
                                                                                                                                                  Function 0FCAC232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 303 fcac232-fcac256 304 fcac25c-fcac260 303->304 305 fcac8bd-fcac8cd 303->305 304->305 306 fcac266-fcac2a0 304->306 307 fcac2bf 306->307 308 fcac2a2-fcac2a6 306->308 310 fcac2c6 307->310 308->307 309 fcac2a8-fcac2ac 308->309 311 fcac2ae-fcac2b2 309->311 312 fcac2b4-fcac2b8 309->312 313 fcac2cb-fcac2cf 310->313 311->310 312->313 314 fcac2ba-fcac2bd 312->314 315 fcac2f9-fcac30b 313->315 316 fcac2d1-fcac2f7 call fcac942 313->316 314->313 320 fcac378 315->320 321 fcac30d-fcac332 315->321 316->315 316->320 322 fcac37a-fcac3a0 320->322 323 fcac3a1-fcac3a8 321->323 324 fcac334-fcac33b 321->324 327 fcac3aa-fcac3d3 call fcac942 323->327 328 fcac3d5-fcac3dc 323->328 325 fcac33d-fcac360 call fcac942 324->325 326 fcac366-fcac370 324->326 325->326 326->320 330 fcac372-fcac373 326->330 327->320 327->328 332 fcac3de-fcac40a call fcac942 328->332 333 fcac410-fcac458 NtCreateFile call fcac172 328->333 330->320 332->320 332->333 338 fcac45d-fcac45f 333->338 338->320 340 fcac465-fcac46d 338->340 340->320 341 fcac473-fcac476 340->341 342 fcac478-fcac481 341->342 343 fcac486-fcac48d 341->343 342->322 344 fcac48f-fcac4b8 call fcac942 343->344 345 fcac4c2-fcac4ec 343->345 344->320 352 fcac4be-fcac4bf 344->352 350 fcac8ae-fcac8b8 345->350 351 fcac4f2-fcac4f5 345->351 350->320 353 fcac4fb-fcac4fe 351->353 354 fcac604-fcac611 351->354 352->345 355 fcac55e-fcac561 353->355 356 fcac500-fcac507 353->356 354->322 361 fcac616-fcac619 355->361 362 fcac567-fcac572 355->362 358 fcac538-fcac559 356->358 359 fcac509-fcac532 call fcac942 356->359 366 fcac5e9-fcac5fa 358->366 359->320 359->358 364 fcac6b8-fcac6bb 361->364 365 fcac61f-fcac626 361->365 367 fcac5a3-fcac5a6 362->367 368 fcac574-fcac59d call fcac942 362->368 369 fcac739-fcac73c 364->369 370 fcac6bd-fcac6c4 364->370 372 fcac628-fcac651 call fcac942 365->372 373 fcac657-fcac66b call fcade92 365->373 366->354 367->320 375 fcac5ac-fcac5b6 367->375 368->320 368->367 379 fcac742-fcac749 369->379 380 fcac7c4-fcac7c7 369->380 376 fcac6c6-fcac6ef call fcac942 370->376 377 fcac6f5-fcac734 370->377 372->320 372->373 373->320 395 fcac671-fcac6b3 373->395 375->320 383 fcac5bc-fcac5e6 375->383 376->350 376->377 400 fcac894-fcac8a9 377->400 387 fcac77a-fcac7bf 379->387 388 fcac74b-fcac774 call fcac942 379->388 380->320 384 fcac7cd-fcac7d4 380->384 383->366 390 fcac7fc-fcac803 384->390 391 fcac7d6-fcac7f6 call fcac942 384->391 387->400 388->350 388->387 398 fcac82b-fcac835 390->398 399 fcac805-fcac825 call fcac942 390->399 391->390 395->322 398->350 404 fcac837-fcac83e 398->404 399->398 400->322 404->350 408 fcac840-fcac886 404->408 408->400
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157647117.000000000FBD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FBD0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_fbd0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                  • String ID: `
                                                                                                                                                  • API String ID: 823142352-2679148245
                                                                                                                                                  • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                  • Instruction ID: 7846e5a3e8527e75f563cd300e172cd05fc691c4a83268cab63c94852cc3b9ae
                                                                                                                                                  • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                  • Instruction Fuzzy Hash: 55224A70A18F0A9FCB59DF28C4956EAB7E1FB98304F80022EE45ED7251DB31E551CB81
                                                                                                                                                  Function 0FCADE12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 447 fcade12-fcade38 448 fcade45-fcade6e NtProtectVirtualMemory 447->448 449 fcade40 call fcac942 447->449 450 fcade7d-fcade8f 448->450 451 fcade70-fcade7c 448->451 449->448
                                                                                                                                                  APIs
                                                                                                                                                  • NtProtectVirtualMemory.NTDLL ref: 0FCADE67
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157647117.000000000FBD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FBD0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_fbd0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProtectVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2706961497-0
                                                                                                                                                  • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                  • Instruction ID: c48410328b72cd9fe58c465147fa93d8956ae87a9a54f4e22971e4169ad741d4
                                                                                                                                                  • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                  • Instruction Fuzzy Hash: 4B019E34628B484F8B88EF7C948512AB7E4FBD9218F000B3EA99AC3250EB64D5414742
                                                                                                                                                  Function 0FCADE0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 452 fcade0a-fcade6e call fcac942 NtProtectVirtualMemory 455 fcade7d-fcade8f 452->455 456 fcade70-fcade7c 452->456
                                                                                                                                                  APIs
                                                                                                                                                  • NtProtectVirtualMemory.NTDLL ref: 0FCADE67
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157647117.000000000FBD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FBD0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_fbd0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProtectVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2706961497-0
                                                                                                                                                  • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                  • Instruction ID: 1b773c380670ecb46053765ca1c7aef057f5b6242d6a303caf86cb7710178ca2
                                                                                                                                                  • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                  • Instruction Fuzzy Hash: 6A01A734628B884B8744EB3C94451A6B3E5FBCE314F000B3EE59AC3241DB25D5014782
                                                                                                                                                  Function 0FCA78C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • ObtainUserAgentString.URLMON ref: 0FCA79A0
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157647117.000000000FBD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FBD0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_fbd0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AgentObtainStringUser
                                                                                                                                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                  • API String ID: 2681117516-319646191
                                                                                                                                                  • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                  • Instruction ID: fcf787b4d9427f3b7a03310447a2b856b3ffd17323b896142050eef0fa13d8a2
                                                                                                                                                  • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                  • Instruction Fuzzy Hash: 2631C031614B0D8FCB04EFA8C8857EDBBE0FF58208F40022AD45ED7241DE799649C799
                                                                                                                                                  Function 0FCA78BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • ObtainUserAgentString.URLMON ref: 0FCA79A0
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157647117.000000000FBD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FBD0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_fbd0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AgentObtainStringUser
                                                                                                                                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                  • API String ID: 2681117516-319646191
                                                                                                                                                  • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                  • Instruction ID: 5577062f59b5d04c7ca3c7867a45797e391aaab9f613723f1c26751db2edf07e
                                                                                                                                                  • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                  • Instruction Fuzzy Hash: 3821C330A10B0E8ECB05EFA9C8457EDBBA0FF58208F40422AD45AD7241DF79A609C795
                                                                                                                                                  Function 0FCA3B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 232 fca3b66-fca3b68 233 fca3b6a-fca3b6b 232->233 234 fca3b93-fca3bb8 232->234 235 fca3bbe-fca3c22 call fcaa612 call fcac942 * 2 233->235 236 fca3b6d-fca3b71 233->236 237 fca3bbb-fca3bbc 234->237 246 fca3c28-fca3c2b 235->246 247 fca3cdc 235->247 236->237 238 fca3b73-fca3b92 236->238 237->235 238->234 246->247 248 fca3c31-fca3cb0 call fcaeda4 call fcae022 call fcae3e2 call fcae022 call fcae3e2 246->248 249 fca3cde-fca3cf6 247->249 261 fca3cb5-fca3cca CreateMutexExW 248->261 262 fca3cce-fca3cd3 261->262 262->247 263 fca3cd5-fca3cda 262->263 263->249
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157647117.000000000FBD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FBD0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_fbd0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateMutex
                                                                                                                                                  • String ID: .dll$el32$kern
                                                                                                                                                  • API String ID: 1964310414-1222553051
                                                                                                                                                  • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                                  • Instruction ID: 4c8182ce7a304842f04b7ddfc806a71e94f369f8904b479dc028e96086cc3339
                                                                                                                                                  • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                                  • Instruction Fuzzy Hash: 59418C70918A0D8FDB44EFA8C899BAD77F0FB58304F40417AD84EDB256DE35AA45CB81
                                                                                                                                                  Function 0FCA3B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157647117.000000000FBD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FBD0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_fbd0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateMutex
                                                                                                                                                  • String ID: .dll$el32$kern
                                                                                                                                                  • API String ID: 1964310414-1222553051
                                                                                                                                                  • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                                  • Instruction ID: daec451ba0ca8a31cc9c985843aa440e0f1f0ee1282208c64f2df42df9b2ac9a
                                                                                                                                                  • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                                  • Instruction Fuzzy Hash: 1E417B70918A088FCB84EFA8C8997ED77F0FB58304F00417AD84EDB256DE34AA45CB85
                                                                                                                                                  Function 0FCA972E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 293 fca972e-fca9768 294 fca976a-fca9782 call fcac942 293->294 295 fca9788-fca97ab connect 293->295 294->295
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157647117.000000000FBD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FBD0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_fbd0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: connect
                                                                                                                                                  • String ID: conn$ect
                                                                                                                                                  • API String ID: 1959786783-716201944
                                                                                                                                                  • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                                                                                  • Instruction ID: 61d03d87cf564d4d0b022ab6e7e006110603808457842f647f36d79fdae8eecd
                                                                                                                                                  • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                                                                                  • Instruction Fuzzy Hash: 62015E30618B188FCB84EF1CE089B55B7E0FB58314F1545AED90DCB226C674D9818BC2
                                                                                                                                                  Function 0FCA9732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 298 fca9732-fca9768 299 fca976a-fca9782 call fcac942 298->299 300 fca9788-fca97ab connect 298->300 299->300
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157647117.000000000FBD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FBD0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_fbd0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: connect
                                                                                                                                                  • String ID: conn$ect
                                                                                                                                                  • API String ID: 1959786783-716201944
                                                                                                                                                  • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                                                                  • Instruction ID: 9f533664deeaf8ea4ca00f03622502b0a4dce60b7626a8fdc10e5d68ed1d2210
                                                                                                                                                  • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                                                                  • Instruction Fuzzy Hash: 8F014F70618A1C8FCB84EF5CE089B55B7E0FB59314F1541AEE80DCB226CB74D9818BC2
                                                                                                                                                  Function 0FCA96B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 411 fca96b2-fca96e5 412 fca96e7-fca96ff call fcac942 411->412 413 fca9705-fca972d send 411->413 412->413
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157647117.000000000FBD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FBD0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_fbd0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: send
                                                                                                                                                  • String ID: send
                                                                                                                                                  • API String ID: 2809346765-2809346765
                                                                                                                                                  • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                                                                  • Instruction ID: e5886c4b3dbdefaa9442c40defe146bea0b4c7ea4953197d34d1fbb8d6b1101d
                                                                                                                                                  • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                                                                  • Instruction Fuzzy Hash: A7012570518A1D8FDBC4EF1CD049B2577E0FB58314F1545AED85DCB266C674D881CB81
                                                                                                                                                  Function 0FCA95B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 416 fca95b2-fca95ea 417 fca960a-fca962b socket 416->417 418 fca95ec-fca9604 call fcac942 416->418 418->417
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157647117.000000000FBD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FBD0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_fbd0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: socket
                                                                                                                                                  • String ID: sock
                                                                                                                                                  • API String ID: 98920635-2415254727
                                                                                                                                                  • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                                  • Instruction ID: eeffe0c6e818c222e964c37e86a05472d3c13b5a8c60eb7452bae865024ad9a2
                                                                                                                                                  • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                                  • Instruction Fuzzy Hash: A7017C70618A188FCB84EF1CE049B50BBE0FB59314F1545AEE80ECB226C7B4D9818B82
                                                                                                                                                  Function 0FCA12DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 421 fca12dd-fca1320 call fcac942 424 fca13fa-fca140e 421->424 425 fca1326 421->425 426 fca1328-fca1339 SleepEx 425->426 426->426 427 fca133b-fca1341 426->427 428 fca134b-fca1352 427->428 429 fca1343-fca1349 427->429 431 fca1370-fca1376 428->431 432 fca1354-fca135a 428->432 429->428 430 fca135c-fca136a call fcabf12 429->430 430->431 434 fca1378-fca137e 431->434 435 fca13b7-fca13bd 431->435 432->430 432->431 434->435 436 fca1380-fca138a 434->436 437 fca13bf-fca13cf call fca1e72 435->437 438 fca13d4-fca13db 435->438 436->435 440 fca138c-fca13b1 call fca2432 436->440 437->438 438->426 442 fca13e1-fca13f5 call fca10f2 438->442 440->435 442->426
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157647117.000000000FBD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FBD0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_fbd0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Sleep
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3472027048-0
                                                                                                                                                  • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                                  • Instruction ID: 8adf98e2eae8c3bfcd139f500a114e5839eb297817e7eb77c4a95a4d91160fd1
                                                                                                                                                  • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                                  • Instruction Fuzzy Hash: 1F318C74505F0ADEDB64EF29804A2E5B3A0FB94308F88466EC92DCA507C776B254CF91
                                                                                                                                                  Function 0FCA1412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 457 fca1412-fca1446 call fcac942 460 fca1448-fca1472 call fcaec9e CreateThread 457->460 461 fca1473-fca147d 457->461
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157647117.000000000FBD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FBD0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_fbd0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2422867632-0
                                                                                                                                                  • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                  • Instruction ID: 677b92fbc1311289f0758289ec5a2ef82e4f472a3760a78cd9bf21bf688464f4
                                                                                                                                                  • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                  • Instruction Fuzzy Hash: 63F0F630268F494FD788EF2CD44663AF3D0FBE8218F44063EA54DC3265DA39D5814B56

                                                                                                                                                  Non-executed Functions

                                                                                                                                                  Function 0E835D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4156965076.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e7c0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                                                                                  • API String ID: 0-393284711
                                                                                                                                                  • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                  • Instruction ID: cf8f6b9f17a1ba9d95acd4e1f19acceef24ecf4086aa989f4d11f2c42ddb607b
                                                                                                                                                  • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                  • Instruction Fuzzy Hash: 99E16A70618F488FC7A5EF78C4947AAB7E1FB58301F504A2E959BC7241EF34A941CB86
                                                                                                                                                  Function 0F6E5D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157117519.000000000F6D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F6D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f6d0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                                                                                  • API String ID: 0-393284711
                                                                                                                                                  • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                  • Instruction ID: 729766567ab43b7b913f4462fc9ad8024f3a88b1acf54fb10a2e6d4df5bd1b3d
                                                                                                                                                  • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                  • Instruction Fuzzy Hash: AEE16971618B488FC7A5EF68C4847EAB7E0FB58301F404A2E959FC7246DF34A505CB89
                                                                                                                                                  Function 0E838792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4156965076.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e7c0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                                                                                  • API String ID: 0-2916316912
                                                                                                                                                  • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                  • Instruction ID: 405ae511a975be2e7efe6aa4671193d79b8a81e6892184d7be104736bad14d57
                                                                                                                                                  • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                  • Instruction Fuzzy Hash: 2BB16A70518B488FDB59EF68C489AEEB7F1FF98300F50491ED49AC7252EF7099058B86
                                                                                                                                                  Function 0F6E8792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157117519.000000000F6D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F6D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f6d0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                                                                                  • API String ID: 0-2916316912
                                                                                                                                                  • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                  • Instruction ID: 29650ecaa8486eb9dd6402663e86fafd3e83ffd61b81509b2a7d6f04c799194c
                                                                                                                                                  • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                  • Instruction Fuzzy Hash: 44B17A30518B488FDB55EF68C485AEEB7F1FF98300F50451ED49AC7252EF74A5098B8A
                                                                                                                                                  Function 0E836622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4156965076.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e7c0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                                                                                  • API String ID: 0-1539916866
                                                                                                                                                  • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                  • Instruction ID: 6409e095bce12e0dbc694e1d6b3626987a403c2bbaa80bea755f41247301c72e
                                                                                                                                                  • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                  • Instruction Fuzzy Hash: 6E41BE70A18B088FDB14EF9CA4456BEBBF2FB88700F40025ED849D3245EBB59D458BD6
                                                                                                                                                  Function 0F6E6622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157117519.000000000F6D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F6D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f6d0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                                                                                  • API String ID: 0-1539916866
                                                                                                                                                  • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                  • Instruction ID: c865e20bbdc0578d7185f0102897dbef2937bb11421386c623bd4c37d519a63f
                                                                                                                                                  • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                  • Instruction Fuzzy Hash: 0141BE71A28B088FDF14DF88E4556AE7BF2EB98700F40025ED809D3346DBB5A9458BD6
                                                                                                                                                  Function 0E83DAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4156965076.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e7c0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                                                                                  • API String ID: 0-355182820
                                                                                                                                                  • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                  • Instruction ID: 1783b46adf4a6c6a189a3d4e1df1826defef552b4588cde7cf5eae18814f47c8
                                                                                                                                                  • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                  • Instruction Fuzzy Hash: 98C15B70618B088FC758EF28C495AEAF7E1FB94304F504B2E959AC7250DF70AA15CBC6
                                                                                                                                                  Function 0F6EDAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157117519.000000000F6D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F6D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f6d0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                                                                                  • API String ID: 0-355182820
                                                                                                                                                  • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                  • Instruction ID: c4dd1ddcf5011a87b0e86bbbdf05c0d2b4f62de785e40f710274180077bb760a
                                                                                                                                                  • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                  • Instruction Fuzzy Hash: 3CC16B71218B099FC758EF24C485AEAF7E1FB94304F50472E959EC7212DF34A515CB8A
                                                                                                                                                  Function 0E83DF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4156965076.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e7c0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                                                                                  • API String ID: 0-97273177
                                                                                                                                                  • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                  • Instruction ID: d9ef9365f84f36b839b7c5a6d6eac11b41b23e37f1ccda5309e614f91743d57b
                                                                                                                                                  • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                  • Instruction Fuzzy Hash: AF51B3316187488FD719DF28D4856AAB7E5FB85700F60192EE8CBC7242DBB49906CB83
                                                                                                                                                  Function 0F6EDF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157117519.000000000F6D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F6D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f6d0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                                                                                  • API String ID: 0-97273177
                                                                                                                                                  • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                  • Instruction ID: a4cc0f683ebe75380ae726f307f7bee1ba1deb1cd5dc33bf2f6c3ffe1986e4d7
                                                                                                                                                  • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                  • Instruction Fuzzy Hash: 4D51E5316197488FD719DF18D8812EAB7E5FBC5700F501A2EE8CBC7242DBB59546CB82
                                                                                                                                                  Function 0E8372F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4156965076.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e7c0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                  • API String ID: 0-639201278
                                                                                                                                                  • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                  • Instruction ID: 828691c91f8210830e16a309db769907df0962e79e0fef2bce0c0d5fc780d7cf
                                                                                                                                                  • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                  • Instruction Fuzzy Hash: DFC16D70618A198FC758EF78D495AAAF3E1FB98300F64472E954AD7250DF30EA01CBC6
                                                                                                                                                  Function 0E8372F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4156965076.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e7c0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                  • API String ID: 0-639201278
                                                                                                                                                  • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                  • Instruction ID: 08f543a4f8c435e273c1c5fd3b1cbab3cb155b3ecccc9eb58e3961f889bbdfc0
                                                                                                                                                  • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                  • Instruction Fuzzy Hash: CDC17E70618A198FC758EB78D495AAAF3E1FB98300F64472E954AD7250DF30EE01CBC6
                                                                                                                                                  Function 0F6E72F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157117519.000000000F6D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F6D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f6d0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                  • API String ID: 0-639201278
                                                                                                                                                  • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                  • Instruction ID: 44db27235a488f51920743cb25046e6c1d9d81fe188e4c0aadf75a2c4bfb7629
                                                                                                                                                  • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                  • Instruction Fuzzy Hash: 0EC1B072619B198FC758EB68D495AEAB3E1FF94300F90432D841EC7256DF34AA06C789
                                                                                                                                                  Function 0F6E72F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157117519.000000000F6D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F6D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f6d0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                  • API String ID: 0-639201278
                                                                                                                                                  • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                  • Instruction ID: 89ca9d38a04e20770c4f8ae86a4bee69b03583b2ae6ad01b822bbe6f02b99ff9
                                                                                                                                                  • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                  • Instruction Fuzzy Hash: 41C1B071619B198FC758EF68C495AAAB3E1FF94300F90432D841EC7256DF34E906C789
                                                                                                                                                  Function 0E838CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4156965076.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e7c0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                  • API String ID: 0-2058692283
                                                                                                                                                  • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                  • Instruction ID: f08b9c3ec8abbfa40c90f06cb50cb4c8d40f53504101e5481d6a0c1b32783ec1
                                                                                                                                                  • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                  • Instruction Fuzzy Hash: 05A1817061874C8BDB19EFA8D4447EEB7E2FF98300F404A2DE48AD7291EF7499458786
                                                                                                                                                  Function 0F6E8CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157117519.000000000F6D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F6D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f6d0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                  • API String ID: 0-2058692283
                                                                                                                                                  • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                  • Instruction ID: 38b066939d39978a27afeae522d22a2d9b16333d3c0924b4fb434d0808348fd8
                                                                                                                                                  • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                  • Instruction Fuzzy Hash: 2AA1C0716187488FDB28EFA8D4447EEB7E1FF98300F40462DD48AD7252EF7495498789
                                                                                                                                                  Function 0E838CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4156965076.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e7c0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                  • API String ID: 0-2058692283
                                                                                                                                                  • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                  • Instruction ID: 9f6a5a88a682ee85417337abd43d03fd71f9810fcdd8bb8294cba6befe99b31a
                                                                                                                                                  • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                  • Instruction Fuzzy Hash: 0191727061874C8BDB19EFA8D4447EEB7E2FF98300F40462DE48AD7291DF7499458786
                                                                                                                                                  Function 0F6E8CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157117519.000000000F6D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F6D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f6d0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                  • API String ID: 0-2058692283
                                                                                                                                                  • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                  • Instruction ID: 1955a3f6ddeb065fcbbf36934af87c0fa4ed211f1d9306052d1db4d27e4eb5dd
                                                                                                                                                  • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                  • Instruction Fuzzy Hash: 8A91A0716187488FDB18EFA8D444BEEB7E1FF98300F40462ED48AD7252EF7495498789
                                                                                                                                                  Function 0E838352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4156965076.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e7c0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $.$e$n$v
                                                                                                                                                  • API String ID: 0-1849617553
                                                                                                                                                  • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                  • Instruction ID: 903ab18fd67056bc7b04a053fbd35457559e676782f1eec0e952e86dc4f22cc1
                                                                                                                                                  • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                  • Instruction Fuzzy Hash: E871A2716187488FD759EFA8C4886AAB7F1FF58305F100A2EE44AC7261EB74DD458B82
                                                                                                                                                  Function 0F6E8352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157117519.000000000F6D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F6D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f6d0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $.$e$n$v
                                                                                                                                                  • API String ID: 0-1849617553
                                                                                                                                                  • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                  • Instruction ID: d60e2dc62213bdd0efaedc374144169cd8652f8e41072e08d346e2f6b5141473
                                                                                                                                                  • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                  • Instruction Fuzzy Hash: 6E719531618B498FD758EFA8C4887AAB7F1FF58304F00062ED44AC7262EF75E9458B85
                                                                                                                                                  Function 0E833C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4156965076.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e7c0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                                                                                  • API String ID: 0-1970020201
                                                                                                                                                  • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                  • Instruction ID: c00ac3ef5290338a0e6df48d2b5ca35b6573bf4439200389b54a77a72acb7f22
                                                                                                                                                  • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                  • Instruction Fuzzy Hash: AE514DB0914B4C8BDB55EFA8C0446EEB7F1FF58301F504A2E999AE7254EF3095418BCA
                                                                                                                                                  Function 0F6E3C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157117519.000000000F6D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F6D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f6d0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                                                                                  • API String ID: 0-1970020201
                                                                                                                                                  • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                  • Instruction ID: 9779e83a220633d2b1a21de7e66d23b4685ae5299de0ebabef8e732726c261f5
                                                                                                                                                  • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                  • Instruction Fuzzy Hash: 37515CB1918B4C8FDB64EFA4C045AEEB7F1FF68301F40462E949AE7215EF3095458B89
                                                                                                                                                  Function 0E83486F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4156965076.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e7c0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4$\$dll$ion.$vers
                                                                                                                                                  • API String ID: 0-1610437797
                                                                                                                                                  • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                  • Instruction ID: a32755347ba667d3a5ada293e3240a0f4a50b42108598ac12006ab10135e9302
                                                                                                                                                  • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                  • Instruction Fuzzy Hash: F4416F30618B8C8BCB65EF3898557EA73E5FB98301F514A2E999EC7240EF30D90587C2
                                                                                                                                                  Function 0F6E486F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157117519.000000000F6D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F6D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f6d0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4$\$dll$ion.$vers
                                                                                                                                                  • API String ID: 0-1610437797
                                                                                                                                                  • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                  • Instruction ID: 259c8e42b578edd796ddd6d651a994bfcdb5bbd9638a388242a158bb8a707575
                                                                                                                                                  • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                  • Instruction Fuzzy Hash: D5418F35619B888FCBA5EF3898457EAB3E0FB98301F51462E989EC7345EF30D5058786
                                                                                                                                                  Function 0E8364B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4156965076.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e7c0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 32.d$cli.$dll$sspi$user
                                                                                                                                                  • API String ID: 0-327345718
                                                                                                                                                  • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                  • Instruction ID: afe544a2776f731031953731dd761d2a4490dc058b4760cfda6190394f9da309
                                                                                                                                                  • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                  • Instruction Fuzzy Hash: B1413D30A18E0DDFCB58EFAC80957AD77E1FB58301F60467EA80AD7254EA71D9418BC6
                                                                                                                                                  Function 0F6E64B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157117519.000000000F6D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F6D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f6d0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 32.d$cli.$dll$sspi$user
                                                                                                                                                  • API String ID: 0-327345718
                                                                                                                                                  • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                  • Instruction ID: 33f40c5d0d034e2f73a0a8630f99f2bcccd569fa1be8db93578e4824f7edb2f1
                                                                                                                                                  • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                  • Instruction Fuzzy Hash: 57415C31A29F0D8FCB58EF68C0947AE77E1FB68300F50016EA80AD7346DA76D5418B86
                                                                                                                                                  Function 0E834432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4156965076.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e7c0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .dll$el32$h$kern
                                                                                                                                                  • API String ID: 0-4264704552
                                                                                                                                                  • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                  • Instruction ID: b0dedf33eef756e88f34b5fac26eb560cee5f4e59dd1dbf309768604eb09ba6a
                                                                                                                                                  • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                  • Instruction Fuzzy Hash: 95418370A09B4C4FD769DF7880943AAB7E1FB98301F244B6E949EC3255DB70C945CB82
                                                                                                                                                  Function 0F6E4432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157117519.000000000F6D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F6D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f6d0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .dll$el32$h$kern
                                                                                                                                                  • API String ID: 0-4264704552
                                                                                                                                                  • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                  • Instruction ID: a500e4cf9de94aa2d44c46ef96152003bc7fbdba8c7ff1d09d90c3a7297471bd
                                                                                                                                                  • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                  • Instruction Fuzzy Hash: E5419F71A09B488FD7A9DF2980883AAB7E1FB98300F504A2F949EC3256DF70D545CB85
                                                                                                                                                  Function 0E83B0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4156965076.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e7c0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $Snif$f fr$om:
                                                                                                                                                  • API String ID: 0-3434893486
                                                                                                                                                  • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                  • Instruction ID: 6e3900ef211c58d629748f915b52d8a438c0137edd87a545abf98e2e324c63f4
                                                                                                                                                  • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                  • Instruction Fuzzy Hash: 3031B071519B885FD71AEB38C4846DAB7D4FB84300F604D1EE49BC7292EA34A949CA83
                                                                                                                                                  Function 0F6EB0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157117519.000000000F6D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F6D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f6d0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $Snif$f fr$om:
                                                                                                                                                  • API String ID: 0-3434893486
                                                                                                                                                  • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                  • Instruction ID: 9ad2ea0aa0898042b0a5c26dbfd8f2227c795708c8fd142cb642a367ec72958c
                                                                                                                                                  • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                  • Instruction Fuzzy Hash: C831EF7151DB886FD71AEF28C0846DABBD0FB84300F50491EE49BC7252EE34A54ACB46
                                                                                                                                                  Function 0E83B0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4156965076.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e7c0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $Snif$f fr$om:
                                                                                                                                                  • API String ID: 0-3434893486
                                                                                                                                                  • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                  • Instruction ID: e841e1816821bc645cbc1612d1570c58cff81066900daf4195fc4f40a9b0da52
                                                                                                                                                  • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                  • Instruction Fuzzy Hash: 3B31A571518B485FD71ADF28C4846DAB7D5FB94300F504D1EE49BC7292EE34E945CA83
                                                                                                                                                  Function 0F6EB0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157117519.000000000F6D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F6D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f6d0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $Snif$f fr$om:
                                                                                                                                                  • API String ID: 0-3434893486
                                                                                                                                                  • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                  • Instruction ID: 1c256b5dfe90aee99868f75925ccfa92a91d12d0e74f64a04ac68099e4642a1b
                                                                                                                                                  • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                  • Instruction Fuzzy Hash: 1A31E17251DB486FD71AEF28C4846EAB7D4FB94300F50491EE49BC7253EE34E50ACA46
                                                                                                                                                  Function 0E836FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4156965076.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e7c0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .dll$chro$hild$me_c
                                                                                                                                                  • API String ID: 0-3136806129
                                                                                                                                                  • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                  • Instruction ID: 03ad247bc0a20fe48db43bb71d7698b3c31cfe65e30a4b7dc3bbd12a226bb282
                                                                                                                                                  • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                  • Instruction Fuzzy Hash: CB315070518B188FCB94EF688495BAAB7E1FB94300F94496D944ECB254DF30C905CB93
                                                                                                                                                  Function 0F6E6FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157117519.000000000F6D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F6D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f6d0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .dll$chro$hild$me_c
                                                                                                                                                  • API String ID: 0-3136806129
                                                                                                                                                  • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                  • Instruction ID: 36d3bc1ece73545e393c1e133654e597c1afc2d3658e1fd8a3def1b075e4c35d
                                                                                                                                                  • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                  • Instruction Fuzzy Hash: F9317C71119B088FCB94EF688495BAAB7E1FF98300F94062DA44ECB256DF34D905C756
                                                                                                                                                  Function 0E836FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4156965076.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e7c0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .dll$chro$hild$me_c
                                                                                                                                                  • API String ID: 0-3136806129
                                                                                                                                                  • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                  • Instruction ID: 16bf819e6d677acc8a92f943d4e3e4c836796062cc19a47929ed161b871ce00b
                                                                                                                                                  • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                  • Instruction Fuzzy Hash: F6314F70518B188FCB94EF689494BAAB7E1FF98300FA44A6D944ACB255DF30C905CB93
                                                                                                                                                  Function 0F6E6FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157117519.000000000F6D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F6D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f6d0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .dll$chro$hild$me_c
                                                                                                                                                  • API String ID: 0-3136806129
                                                                                                                                                  • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                  • Instruction ID: c828cd5e104b8202eb2c79c92facc511a034047bbffcef5de46459f1a042dfa2
                                                                                                                                                  • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                  • Instruction Fuzzy Hash: 7E318B71219B088FCB94EF688494BAAB7E1FF98300F94062DA44ECB356DF34D905CB56
                                                                                                                                                  Function 0E8398C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4156965076.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e7c0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                  • API String ID: 0-319646191
                                                                                                                                                  • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                  • Instruction ID: 6e7640e3e045eb0ccb495738fc1d62db97e5aa126ba8f254bd0b06c5e40b9e0b
                                                                                                                                                  • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                  • Instruction Fuzzy Hash: 3831D171614A0C8BCF45EFA8C8847EEB7E1FB58205F50062AD94ED7240EE788A45C7CA
                                                                                                                                                  Function 0F6E98C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157117519.000000000F6D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F6D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f6d0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                  • API String ID: 0-319646191
                                                                                                                                                  • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                  • Instruction ID: af1375e59163541fe42ec85b676fcb94816ac0f568e336d0f3735a188341d2ca
                                                                                                                                                  • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                  • Instruction Fuzzy Hash: C131C031614B0D8BCB44EFA8C8847EEBBE0FF58205F40022AD45ED7246DE788649C789
                                                                                                                                                  Function 0E8398BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4156965076.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e7c0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                  • API String ID: 0-319646191
                                                                                                                                                  • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                  • Instruction ID: aef53eb36bd92399ca9f979d30fe47cc2262c2b84ea759460bff1b69b77d8912
                                                                                                                                                  • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                  • Instruction Fuzzy Hash: 8A21C370A10A0D8BCF05EFA8C8447EEBBE1FF58205F50461AD45AD7244EE788A0587C6
                                                                                                                                                  Function 0F6E98BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157117519.000000000F6D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F6D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f6d0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                  • API String ID: 0-319646191
                                                                                                                                                  • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                  • Instruction ID: 23e66448b083c15b8f6dfccc156e4282e178a889b1691876ca49d9665e8cbc57
                                                                                                                                                  • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                  • Instruction Fuzzy Hash: 5F21C171614B0D8BCF05EFA8C8847EDBBE0FF58205F40422EE45AD7246EE788609C789
                                                                                                                                                  Function 0E83AE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4156965076.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e7c0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .$l$l$t
                                                                                                                                                  • API String ID: 0-168566397
                                                                                                                                                  • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                  • Instruction ID: fe16a60d8cbfe8df5a6315c58b9a447dbda56ad166768f2912fafdec805d9552
                                                                                                                                                  • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                  • Instruction Fuzzy Hash: 4F218070A24B0D9FDB48EFA8C0447AEBAF1FF18304F50462ED549D7600DB789995CB86
                                                                                                                                                  Function 0E83AE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4156965076.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e7c0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .$l$l$t
                                                                                                                                                  • API String ID: 0-168566397
                                                                                                                                                  • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                  • Instruction ID: 5499a26d83797cbc79191a0880c6f6621e03a90ea0024fefdd9dbc3bca7753a3
                                                                                                                                                  • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                  • Instruction Fuzzy Hash: 89218070A24A0D9BDB48EFA8C0447EEBBF1FB18304F50462DD549D7600DB7899958BC6
                                                                                                                                                  Function 0F6EAE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157117519.000000000F6D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F6D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f6d0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .$l$l$t
                                                                                                                                                  • API String ID: 0-168566397
                                                                                                                                                  • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                  • Instruction ID: f53fd5ffccbcd5b8bf7a4bd3812fd8399a881bee7806b69f6aa931c06f0c20d4
                                                                                                                                                  • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                  • Instruction Fuzzy Hash: BE217A74A24B0DABDB48EFA8C0447EDBBF1FB18304F50462ED109D3602DB79A5958B88
                                                                                                                                                  Function 0F6EAE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157117519.000000000F6D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F6D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f6d0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .$l$l$t
                                                                                                                                                  • API String ID: 0-168566397
                                                                                                                                                  • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                  • Instruction ID: 42c987e28b958699985d8b0b2e491de07e42efd3d8299f5bb4d83842415800aa
                                                                                                                                                  • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                  • Instruction Fuzzy Hash: 3D218D74A24B0DAFDB48EFA8C0447ADBAF1FF58304F50462ED109D3602DB799595CB88
                                                                                                                                                  Function 0E83AFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4156965076.000000000E7C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e7c0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: auth$logi$pass$user
                                                                                                                                                  • API String ID: 0-2393853802
                                                                                                                                                  • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                  • Instruction ID: 280ef208893187a9f4566b25b46f231e57278639f85f9b6b0946a9776d0a1161
                                                                                                                                                  • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                  • Instruction Fuzzy Hash: 8F21AE70614B0D8BCB05DF9D98906AEB7E1EF88344F00461A940AEB285D7B0DD148BC2
                                                                                                                                                  Function 0F6EAFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4157117519.000000000F6D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F6D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f6d0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: auth$logi$pass$user
                                                                                                                                                  • API String ID: 0-2393853802
                                                                                                                                                  • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                  • Instruction ID: 9358a42345d9e3f84ee4cb8ca9b50fc2ff37c0cb75b4440ce2848f60d3f53947
                                                                                                                                                  • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                  • Instruction Fuzzy Hash: 4321C030614B0D8BCB05DF9998806EEB7E2EF88344F004619D40AEB346D7B4E9588BD6

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:11.5%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                  Total number of Nodes:350
                                                                                                                                                  Total number of Limit Nodes:20
                                                                                                                                                  execution_graph 63588 521dea0 63589 521deac 63588->63589 63590 521debd 63589->63590 63593 6d60d90 63589->63593 63598 6d60da0 63589->63598 63594 6d60dbc 63593->63594 63603 6d61cc7 63594->63603 63610 6d61cd8 63594->63610 63595 6d60e66 63595->63590 63599 6d60dbc 63598->63599 63601 6d61cc7 3 API calls 63599->63601 63602 6d61cd8 3 API calls 63599->63602 63600 6d60e66 63600->63590 63601->63600 63602->63600 63604 6d61c6e 63603->63604 63605 6d61ccb 63603->63605 63604->63595 63605->63604 63616 6d61d60 63605->63616 63626 6d61d08 63605->63626 63635 6d61d18 63605->63635 63606 6d61cfe 63606->63595 63611 6d61cea 63610->63611 63613 6d61d60 3 API calls 63611->63613 63614 6d61d18 3 API calls 63611->63614 63615 6d61d08 3 API calls 63611->63615 63612 6d61cfe 63612->63595 63613->63612 63614->63612 63615->63612 63617 6d61d06 63616->63617 63618 6d61d0e 63616->63618 63617->63606 63619 6d61cb6 63618->63619 63622 6d61d49 63618->63622 63643 6d61d9b 63618->63643 63619->63606 63620 6d61d55 63620->63606 63624 6d61d9b 3 API calls 63622->63624 63650 6d61de8 63622->63650 63656 6d61ddb 63622->63656 63624->63620 63627 6d61cb6 63626->63627 63628 6d61d13 63626->63628 63627->63606 63629 6d61d49 63628->63629 63631 6d61d9b 3 API calls 63628->63631 63632 6d61ddb 3 API calls 63629->63632 63633 6d61d9b 3 API calls 63629->63633 63634 6d61de8 3 API calls 63629->63634 63630 6d61d55 63630->63606 63631->63629 63632->63630 63633->63630 63634->63630 63636 6d61d32 63635->63636 63637 6d61d49 63636->63637 63639 6d61d9b 3 API calls 63636->63639 63640 6d61ddb 3 API calls 63637->63640 63641 6d61d9b 3 API calls 63637->63641 63642 6d61de8 3 API calls 63637->63642 63638 6d61d55 63638->63606 63639->63637 63640->63638 63641->63638 63642->63638 63644 6d61da2 63643->63644 63645 6d61e19 63643->63645 63644->63622 63662 6d61ff8 63645->63662 63666 6d61f43 63645->63666 63669 6d61f48 63645->63669 63646 6d61e93 63646->63622 63651 6d61e0c 63650->63651 63653 6d61f43 NtQueryInformationProcess 63651->63653 63654 6d61ff8 NtQueryInformationProcess 63651->63654 63655 6d61f48 NtQueryInformationProcess 63651->63655 63652 6d61e93 63652->63620 63653->63652 63654->63652 63655->63652 63657 6d61e0c 63656->63657 63659 6d61f43 NtQueryInformationProcess 63657->63659 63660 6d61ff8 NtQueryInformationProcess 63657->63660 63661 6d61f48 NtQueryInformationProcess 63657->63661 63658 6d61e93 63658->63620 63659->63658 63660->63658 63661->63658 63663 6d61f9e NtQueryInformationProcess 63662->63663 63665 6d61ffb 63662->63665 63664 6d61fd6 63663->63664 63664->63646 63665->63646 63667 6d61f93 NtQueryInformationProcess 63666->63667 63668 6d61fd6 63667->63668 63668->63646 63670 6d61f93 NtQueryInformationProcess 63669->63670 63671 6d61fd6 63670->63671 63671->63646 63941 8a4668 63942 8a4672 63941->63942 63946 8a4763 63941->63946 63951 8a3e1c 63942->63951 63944 8a468d 63947 8a477d 63946->63947 63957 8a4868 63947->63957 63961 8a4864 63947->63961 63952 8a3e27 63951->63952 63969 8a5c54 63952->63969 63954 8a6f9a 63973 8a5c64 63954->63973 63956 8a6fac 63956->63944 63958 8a488f 63957->63958 63959 8a496c 63958->63959 63965 8a449c 63958->63965 63962 8a4868 63961->63962 63963 8a496c 63962->63963 63964 8a449c CreateActCtxA 63962->63964 63963->63963 63964->63963 63966 8a58f8 CreateActCtxA 63965->63966 63968 8a59bb 63966->63968 63970 8a5c5f 63969->63970 63971 8a5c64 2 API calls 63970->63971 63972 8a702a 63971->63972 63972->63954 63974 8a5c6f 63973->63974 63977 8a5c94 63974->63977 63976 8a70cd 63976->63956 63978 8a5c9f 63977->63978 63981 8a5cc4 63978->63981 63980 8a71a2 63980->63976 63982 8a5ccf 63981->63982 63983 8a5cf4 2 API calls 63982->63983 63984 8a72a5 63983->63984 63984->63980 64001 8ad138 64002 8ad17e GetCurrentProcess 64001->64002 64004 8ad1c9 64002->64004 64005 8ad1d0 GetCurrentThread 64002->64005 64004->64005 64006 8ad20d GetCurrentProcess 64005->64006 64007 8ad206 64005->64007 64008 8ad243 64006->64008 64007->64006 64009 8ad26b GetCurrentThreadId 64008->64009 64010 8ad29c 64009->64010 64011 8aaf78 64012 8aafba 64011->64012 64013 8aafc0 GetModuleHandleW 64011->64013 64012->64013 64014 8aafed 64013->64014 63672 271dc78 63675 271cabc 63672->63675 63674 271dc97 63676 271cac7 63675->63676 63680 8a82f1 63676->63680 63684 8a5cf4 63676->63684 63677 271dd7a 63677->63674 63681 8a8323 63680->63681 63682 8a85e9 63681->63682 63688 8acd40 63681->63688 63682->63677 63686 8a5cff 63684->63686 63685 8a85e9 63685->63677 63686->63685 63687 8acd40 2 API calls 63686->63687 63687->63685 63689 8acd71 63688->63689 63690 8acd95 63689->63690 63693 8ad010 63689->63693 63697 8ad020 63689->63697 63690->63682 63694 8ad020 63693->63694 63696 8ad067 63694->63696 63701 8ab308 63694->63701 63696->63690 63698 8ad02d 63697->63698 63699 8ad067 63698->63699 63700 8ab308 2 API calls 63698->63700 63699->63690 63700->63699 63702 8ab313 63701->63702 63704 8add80 63702->63704 63705 8ad940 63702->63705 63704->63704 63706 8ad94b 63705->63706 63707 8a5cf4 2 API calls 63706->63707 63708 8addef 63707->63708 63711 8afb60 63708->63711 63709 8ade29 63709->63704 63713 8afc91 63711->63713 63714 8afb91 63711->63714 63712 8afb9d 63712->63709 63713->63709 63714->63712 63717 26c0a9f 63714->63717 63722 26c0ab0 63714->63722 63718 26c0ab0 63717->63718 63719 26c0b8a 63718->63719 63727 26c19c8 63718->63727 63733 26c1981 63718->63733 63723 26c0adb 63722->63723 63724 26c0b8a 63723->63724 63725 26c19c8 2 API calls 63723->63725 63726 26c1981 2 API calls 63723->63726 63725->63724 63726->63724 63728 26c198e 63727->63728 63729 26c19ba 63728->63729 63737 26c19cc 63728->63737 63741 26c19d0 63728->63741 63729->63719 63734 26c19b5 63733->63734 63735 26c19cc CreateWindowExW 63733->63735 63736 26c19d0 CreateWindowExW 63733->63736 63734->63719 63735->63734 63736->63734 63738 26c1a38 CreateWindowExW 63737->63738 63740 26c1af4 63738->63740 63742 26c1a38 CreateWindowExW 63741->63742 63744 26c1af4 63742->63744 63745 8ad380 DuplicateHandle 63746 8ad416 63745->63746 63747 26c3fa0 63748 26c3fe2 63747->63748 63750 26c3fe9 63747->63750 63749 26c403a CallWindowProcW 63748->63749 63748->63750 63749->63750 63985 6d62ffa 63987 6d62f34 63985->63987 63989 6d62644 63987->63989 63993 6d62650 63987->63993 63990 6d63358 OutputDebugStringW 63989->63990 63992 6d633d7 63990->63992 63992->63987 63994 6d63408 CloseHandle 63993->63994 63996 6d63476 63994->63996 63996->63987 64015 26c7ed0 64016 26c7efb 64015->64016 64022 26c7a3c 64016->64022 64018 26c7f2c 64021 26c872b 64018->64021 64026 26c7c5c 64018->64026 64020 26c95a5 64023 26c7a47 64022->64023 64024 26c7c5c 2 API calls 64023->64024 64025 26c95a5 64024->64025 64025->64018 64027 26c7c67 64026->64027 64030 8a5cc4 2 API calls 64027->64030 64031 8a71fc 64027->64031 64028 26c9b44 64028->64020 64030->64028 64032 8a7233 64031->64032 64033 8a5cf4 2 API calls 64032->64033 64034 8a72a5 64033->64034 64034->64028 63777 6d6e28b 63778 6d6dfe9 63777->63778 63778->63777 63779 6d6dff9 63778->63779 63783 6d6fd56 63778->63783 63800 6d6fce9 63778->63800 63816 6d6fcf8 63778->63816 63784 6d6fce4 63783->63784 63786 6d6fd59 63783->63786 63785 6d6fd36 63784->63785 63832 e620362 63784->63832 63836 e62021d 63784->63836 63840 e62091d 63784->63840 63844 e6205df 63784->63844 63848 e62029f 63784->63848 63853 e62071f 63784->63853 63858 e620779 63784->63858 63863 e6206d7 63784->63863 63868 e620637 63784->63868 63874 e620a10 63784->63874 63879 e620572 63784->63879 63884 e620520 63784->63884 63888 e6202e0 63784->63888 63785->63779 63801 6d6fd12 63800->63801 63802 e620362 2 API calls 63801->63802 63803 e6202e0 2 API calls 63801->63803 63804 6d6fd36 63801->63804 63805 e620520 2 API calls 63801->63805 63806 e620572 2 API calls 63801->63806 63807 e620a10 2 API calls 63801->63807 63808 e620637 2 API calls 63801->63808 63809 e6206d7 2 API calls 63801->63809 63810 e620779 2 API calls 63801->63810 63811 e62071f 2 API calls 63801->63811 63812 e62029f 2 API calls 63801->63812 63813 e6205df 2 API calls 63801->63813 63814 e62091d 2 API calls 63801->63814 63815 e62021d 2 API calls 63801->63815 63802->63804 63803->63804 63804->63779 63805->63804 63806->63804 63807->63804 63808->63804 63809->63804 63810->63804 63811->63804 63812->63804 63813->63804 63814->63804 63815->63804 63817 6d6fd12 63816->63817 63818 6d6fd36 63817->63818 63819 e620362 2 API calls 63817->63819 63820 e6202e0 2 API calls 63817->63820 63821 e620520 2 API calls 63817->63821 63822 e620572 2 API calls 63817->63822 63823 e620a10 2 API calls 63817->63823 63824 e620637 2 API calls 63817->63824 63825 e6206d7 2 API calls 63817->63825 63826 e620779 2 API calls 63817->63826 63827 e62071f 2 API calls 63817->63827 63828 e62029f 2 API calls 63817->63828 63829 e6205df 2 API calls 63817->63829 63830 e62091d 2 API calls 63817->63830 63831 e62021d 2 API calls 63817->63831 63818->63779 63819->63818 63820->63818 63821->63818 63822->63818 63823->63818 63824->63818 63825->63818 63826->63818 63827->63818 63828->63818 63829->63818 63830->63818 63831->63818 63893 6d6d900 63832->63893 63897 6d6d8f9 63832->63897 63833 e620397 63833->63785 63901 6d6db7d 63836->63901 63905 6d6db88 63836->63905 63909 6d6d761 63840->63909 63913 6d6d768 63840->63913 63841 e620937 63846 6d6d761 Wow64SetThreadContext 63844->63846 63847 6d6d768 Wow64SetThreadContext 63844->63847 63845 e6205f9 63846->63845 63847->63845 63849 e6202b1 63848->63849 63917 6d6d840 63849->63917 63921 6d6d839 63849->63921 63850 e620a32 63854 e6202b1 63853->63854 63856 6d6d840 VirtualAllocEx 63854->63856 63857 6d6d839 VirtualAllocEx 63854->63857 63855 e620a32 63856->63855 63857->63855 63861 6d6d900 WriteProcessMemory 63858->63861 63862 6d6d8f9 WriteProcessMemory 63858->63862 63859 e620ae0 63859->63785 63860 e62048e 63860->63858 63860->63859 63861->63860 63862->63860 63864 e6206dd 63863->63864 63925 6d6d280 63864->63925 63929 6d6d278 63864->63929 63865 e620286 63869 e620651 63868->63869 63870 e620a98 63869->63870 63872 6d6d280 ResumeThread 63869->63872 63873 6d6d278 ResumeThread 63869->63873 63870->63785 63871 e620286 63872->63871 63873->63871 63875 e620a14 63874->63875 63877 6d6d840 VirtualAllocEx 63875->63877 63878 6d6d839 VirtualAllocEx 63875->63878 63876 e620a32 63877->63876 63878->63876 63880 e620599 63879->63880 63882 6d6d900 WriteProcessMemory 63880->63882 63883 6d6d8f9 WriteProcessMemory 63880->63883 63881 e620881 63882->63881 63883->63881 63933 6d6d9f0 63884->63933 63937 6d6d9e8 63884->63937 63885 e620545 63889 e6202b1 63888->63889 63891 6d6d840 VirtualAllocEx 63889->63891 63892 6d6d839 VirtualAllocEx 63889->63892 63890 e620a32 63891->63890 63892->63890 63894 6d6d948 WriteProcessMemory 63893->63894 63896 6d6d99f 63894->63896 63896->63833 63898 6d6d900 WriteProcessMemory 63897->63898 63900 6d6d99f 63898->63900 63900->63833 63902 6d6db88 CreateProcessA 63901->63902 63904 6d6ddd3 63902->63904 63904->63904 63906 6d6dc11 CreateProcessA 63905->63906 63908 6d6ddd3 63906->63908 63908->63908 63910 6d6d768 Wow64SetThreadContext 63909->63910 63912 6d6d7f5 63910->63912 63912->63841 63914 6d6d7ad Wow64SetThreadContext 63913->63914 63916 6d6d7f5 63914->63916 63916->63841 63918 6d6d880 VirtualAllocEx 63917->63918 63920 6d6d8bd 63918->63920 63920->63850 63922 6d6d83e VirtualAllocEx 63921->63922 63924 6d6d8bd 63922->63924 63924->63850 63926 6d6d2c0 ResumeThread 63925->63926 63928 6d6d2f1 63926->63928 63928->63865 63930 6d6d280 ResumeThread 63929->63930 63932 6d6d2f1 63930->63932 63932->63865 63934 6d6da3b ReadProcessMemory 63933->63934 63936 6d6da7f 63934->63936 63936->63885 63938 6d6d9f0 ReadProcessMemory 63937->63938 63940 6d6da7f 63938->63940 63940->63885 63751 6d62a18 63752 6d62a3f 63751->63752 63756 6d62d40 63752->63756 63760 6d62d30 63752->63760 63753 6d62abc 63757 6d62d67 63756->63757 63758 6d62e22 63757->63758 63764 e620f48 63757->63764 63758->63753 63761 6d62d67 63760->63761 63762 6d62e22 63761->63762 63763 e620f48 2 API calls 63761->63763 63762->63753 63763->63762 63765 e620f2f 63764->63765 63767 e620f53 63764->63767 63765->63758 63766 e6210e3 63766->63758 63767->63766 63770 e6211d0 63767->63770 63775 e6211d8 PostMessageW 63767->63775 63771 e6211d3 PostMessageW 63770->63771 63772 e6211af 63770->63772 63774 e621244 63771->63774 63772->63767 63774->63767 63776 e621244 63775->63776 63776->63767 63997 6d62e78 63998 6d62e9c 63997->63998 63999 6d62644 OutputDebugStringW 63998->63999 64000 6d62650 CloseHandle 63998->64000 63999->63998 64000->63998

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 06D61F43 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 06D61FC7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1786384708.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_6d60000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InformationProcessQuery
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1778838933-0
                                                                                                                                                  • Opcode ID: a0afce28a361b6bff941fef897d14395d139af0b0e7a48af3f63880724380c90
                                                                                                                                                  • Instruction ID: 1a69f630c4e5b67fbe1193a6bee09df74a18d595185cbda107fcd256c7c92bb3
                                                                                                                                                  • Opcode Fuzzy Hash: a0afce28a361b6bff941fef897d14395d139af0b0e7a48af3f63880724380c90
                                                                                                                                                  • Instruction Fuzzy Hash: 1521EFB6D01259DFCB10CF9AD884ADEFBF4FB48310F10842AE958A7210C375A944CFA5
                                                                                                                                                  Function 06D61F48 Relevance: 1.6, APIs: 1, Instructions: 55nativeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 06D61FC7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1786384708.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_6d60000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InformationProcessQuery
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1778838933-0
                                                                                                                                                  • Opcode ID: 95442c4544dd58005106aa59eb708499eb051751b2a13b1c067b4321e98bb69c
                                                                                                                                                  • Instruction ID: a36a124246b264ad00d0785185a5b3053ce25e51e742cc8bd4168ad1dcf3c22d
                                                                                                                                                  • Opcode Fuzzy Hash: 95442c4544dd58005106aa59eb708499eb051751b2a13b1c067b4321e98bb69c
                                                                                                                                                  • Instruction Fuzzy Hash: 5D21BDB6D00259DFCB10CF9AD884ADEFBF4FB48320F10852AE958A7250C375A944CFA5
                                                                                                                                                  Function 06D61FF8 Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 06D61FC7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1786384708.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_6d60000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InformationProcessQuery
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1778838933-0
                                                                                                                                                  • Opcode ID: 893987576871951c9511b883d185b2c9ffa95bba3b74f731466af416b1bf0099
                                                                                                                                                  • Instruction ID: 0ecdd6fdf5a894137db2b7e6ccfd713efe51842a41ea650e8f78b70b2646fa85
                                                                                                                                                  • Opcode Fuzzy Hash: 893987576871951c9511b883d185b2c9ffa95bba3b74f731466af416b1bf0099
                                                                                                                                                  • Instruction Fuzzy Hash: E1118C72905298DFCB51DFAAD848BCEBFF0EF59314F10819AE448A7261C3359654CF61
                                                                                                                                                  Function 06D6DB7D Relevance: 1.8, APIs: 1, Instructions: 251processCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D6DDBE
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1786384708.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_6d60000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                  • Opcode ID: c90471ea640c742ccd2ccba5993f8d138368e97a713270cd7b810637de397636
                                                                                                                                                  • Instruction ID: 57178ab70897bf39eddb7ebbb355ebf45ba34bb8274d2de54e0b11d81359d19a
                                                                                                                                                  • Opcode Fuzzy Hash: c90471ea640c742ccd2ccba5993f8d138368e97a713270cd7b810637de397636
                                                                                                                                                  • Instruction Fuzzy Hash: 02A17971E00219DFEB60DFA9D840BDEBBB2FF48310F1485A9E849A7250DB749985CF91
                                                                                                                                                  Function 06D6DB88 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D6DDBE
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1786384708.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_6d60000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                  • Opcode ID: c5b84e401d7c9b748122b5b996808fce049cf8b1b3129ea385129b6523443b5a
                                                                                                                                                  • Instruction ID: b9952aaaa36c51ce5750d28f9bf37be4878a8e099ebd331b208f68160919cae5
                                                                                                                                                  • Opcode Fuzzy Hash: c5b84e401d7c9b748122b5b996808fce049cf8b1b3129ea385129b6523443b5a
                                                                                                                                                  • Instruction Fuzzy Hash: 2A917A71E00219CFEB60DFA9D840BEDBBB2BF48310F1485A9E849E7250DB749985CF91
                                                                                                                                                  Function 026C19CC Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 026C1AE2
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1771714968.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_26c0000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateWindow
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 716092398-0
                                                                                                                                                  • Opcode ID: 758a0f1c8f49a01682503a7912220249a4d4cdc6505bf25a8b070249e5d79023
                                                                                                                                                  • Instruction ID: 3bb806acbcf2d460d1a2d7bb931225e6e6734c7411f91b70736d2e3ffe922c61
                                                                                                                                                  • Opcode Fuzzy Hash: 758a0f1c8f49a01682503a7912220249a4d4cdc6505bf25a8b070249e5d79023
                                                                                                                                                  • Instruction Fuzzy Hash: 5C51D0B1D003499FDB14CF99C984ADEBBB1FF48300F24826EE819AB211D7749985CF90
                                                                                                                                                  Function 026C19D0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 026C1AE2
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1771714968.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_26c0000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateWindow
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 716092398-0
                                                                                                                                                  • Opcode ID: 79d29767e4e6c9256826a3101188db27aed0a322d5b8b95b9c49d64b449b5351
                                                                                                                                                  • Instruction ID: 5bb7959c095d877e9063d07cbcc318758bfe40d5c6af79398076660439a6e576
                                                                                                                                                  • Opcode Fuzzy Hash: 79d29767e4e6c9256826a3101188db27aed0a322d5b8b95b9c49d64b449b5351
                                                                                                                                                  • Instruction Fuzzy Hash: 8041CEB1D003199FDB14DF99C984ADEFBB5FF48310F24826AE818AB211D774A985CF90
                                                                                                                                                  Function 026C3FA0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 026C4061
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1771714968.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_26c0000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CallProcWindow
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2714655100-0
                                                                                                                                                  • Opcode ID: 4543ab5648fd09d58cb759dccd74a9033761ce7ba57a383fc06fb83fe47f54b8
                                                                                                                                                  • Instruction ID: 306b4b6d50f52473b97e6f23b78060a0b47ff4db736153fd8cb1afc4f4bd737d
                                                                                                                                                  • Opcode Fuzzy Hash: 4543ab5648fd09d58cb759dccd74a9033761ce7ba57a383fc06fb83fe47f54b8
                                                                                                                                                  • Instruction Fuzzy Hash: C64115B4A00749CFCB14DF99C498AAABBF5FF88324F24C459D519AB321D775A841CFA0
                                                                                                                                                  Function 06D6D8F9 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06D6D990
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1786384708.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_6d60000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3559483778-0
                                                                                                                                                  • Opcode ID: 21d16e7dd9caf456e967a719b97e782414f9b51c9d7ddec47e479e38db0690db
                                                                                                                                                  • Instruction ID: 115efe6222b889fd1ef9d7c9b4fded1fa5fb8f69e200b4c585e7162057155381
                                                                                                                                                  • Opcode Fuzzy Hash: 21d16e7dd9caf456e967a719b97e782414f9b51c9d7ddec47e479e38db0690db
                                                                                                                                                  • Instruction Fuzzy Hash: 3C2117B19003599FCB10DFAAC885BDEBBF5FF48314F10882AE958A7250C7789554DBA4
                                                                                                                                                  Function 06D6D900 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06D6D990
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1786384708.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_6d60000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3559483778-0
                                                                                                                                                  • Opcode ID: 4bed31122cb24f7499adaee258abdd91deabe5b1fbc3eb11f5bc89e47f333096
                                                                                                                                                  • Instruction ID: 0c5d4f02c7ebb00c0c03c72f12a892cdeaa87ad2840e482e962c4d2eb1a842d2
                                                                                                                                                  • Opcode Fuzzy Hash: 4bed31122cb24f7499adaee258abdd91deabe5b1fbc3eb11f5bc89e47f333096
                                                                                                                                                  • Instruction Fuzzy Hash: 2D2127B1D003599FCB10DFAAC885BDEBBF5FF48314F10842AE958A7250C7789944CBA4
                                                                                                                                                  Function 06D6D9E8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06D6DA70
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1786384708.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_6d60000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProcessRead
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1726664587-0
                                                                                                                                                  • Opcode ID: a5b1d7faf37981020a778d78491d913cda239e777ec7613b1355c3156c6fb70d
                                                                                                                                                  • Instruction ID: be49d86155468e1bfa9d38362a534ace877b5c5869cdb8ba0a4ae0830716df71
                                                                                                                                                  • Opcode Fuzzy Hash: a5b1d7faf37981020a778d78491d913cda239e777ec7613b1355c3156c6fb70d
                                                                                                                                                  • Instruction Fuzzy Hash: 5A2116B1D003599FDB10DFAAD885ADEFBF5FF48320F108429E559A7250C7789944CBA4
                                                                                                                                                  Function 06D6D761 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06D6D7E6
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1786384708.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_6d60000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ContextThreadWow64
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 983334009-0
                                                                                                                                                  • Opcode ID: f265daa53eebc2afda82917698a473af4e72d4a5a5863befe2a1a9614495cded
                                                                                                                                                  • Instruction ID: af5a521a8fff5acd20a363fcf3f3351d9d78eaa85084d9b6a58ac9d19c972e5f
                                                                                                                                                  • Opcode Fuzzy Hash: f265daa53eebc2afda82917698a473af4e72d4a5a5863befe2a1a9614495cded
                                                                                                                                                  • Instruction Fuzzy Hash: 73213971D003098FDB10DFAAC4857AEFBF5EF48320F108429D499A7240CB78A944CFA5
                                                                                                                                                  Function 06D6D768 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06D6D7E6
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1786384708.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_6d60000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ContextThreadWow64
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 983334009-0
                                                                                                                                                  • Opcode ID: 2d81403027a17f5e699bb253106342a866bbc41ecf1410c0071267787414b026
                                                                                                                                                  • Instruction ID: 62671aa42caa5d392ff4d323fffbb4a160e447a8a215e2a721578306bd7f76a7
                                                                                                                                                  • Opcode Fuzzy Hash: 2d81403027a17f5e699bb253106342a866bbc41ecf1410c0071267787414b026
                                                                                                                                                  • Instruction Fuzzy Hash: E1212975D003098FDB10DFAAC4857EEBBF5EF48324F148429D459A7241CB78A944CFA5
                                                                                                                                                  Function 06D6D9F0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06D6DA70
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1786384708.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_6d60000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProcessRead
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1726664587-0
                                                                                                                                                  • Opcode ID: 3f50e00816c99c922ed7846aa5ace39c07754a936a626b5ff92088a0166907d6
                                                                                                                                                  • Instruction ID: 634cbc5eeddcdae69ba3aad31033b3f0653493eff300e950f2bfcfeef012c99c
                                                                                                                                                  • Opcode Fuzzy Hash: 3f50e00816c99c922ed7846aa5ace39c07754a936a626b5ff92088a0166907d6
                                                                                                                                                  • Instruction Fuzzy Hash: 942128B1D003599FCB10DFAAC844ADEFBF5FF48320F108429E558A7250C7789544CBA4
                                                                                                                                                  Function 0E6211D0 Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • PostMessageW.USER32(?,?,?,?), ref: 0E621235
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1794021269.000000000E620000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E620000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_e620000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePost
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 410705778-0
                                                                                                                                                  • Opcode ID: 847e0f0c90af816b0003d7dc86ff6f0c62e12a12eb6c785c32c6c12e4ce43f0b
                                                                                                                                                  • Instruction ID: c7987f8b79b6df8627aaa88a51059fe74c97511f0404121add1bcf5407480533
                                                                                                                                                  • Opcode Fuzzy Hash: 847e0f0c90af816b0003d7dc86ff6f0c62e12a12eb6c785c32c6c12e4ce43f0b
                                                                                                                                                  • Instruction Fuzzy Hash: 9C2106B68006199FDB20DF89D444BDEFBF4FB49320F20841AE558A7200C375AA84CFA1
                                                                                                                                                  Function 06D6D839 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06D6D8AE
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1786384708.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_6d60000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                  • Opcode ID: 3464b0206381153d953373d735589d58e516446adaa368cd12846fe9f6a4b53a
                                                                                                                                                  • Instruction ID: 6509051ccf359cd4c78ebffe2d9f97057a20eaf801426cc4b117990a60a5133c
                                                                                                                                                  • Opcode Fuzzy Hash: 3464b0206381153d953373d735589d58e516446adaa368cd12846fe9f6a4b53a
                                                                                                                                                  • Instruction Fuzzy Hash: C5114771900248DFCB20DFAAD848ADEBBF5EF48320F208819E555A7260C775A540CFA0
                                                                                                                                                  Function 06D63353 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • OutputDebugStringW.KERNELBASE(00000000), ref: 06D633C8
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1786384708.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_6d60000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DebugOutputString
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1166629820-0
                                                                                                                                                  • Opcode ID: 0b7ba528da24ab1cae16fd4c76b3931b5ea694a250440b93740a1d949efae30d
                                                                                                                                                  • Instruction ID: af9b2638aedaa97b583da9c49dc4f29f8e025fd7e1743622fb92efc606eb5005
                                                                                                                                                  • Opcode Fuzzy Hash: 0b7ba528da24ab1cae16fd4c76b3931b5ea694a250440b93740a1d949efae30d
                                                                                                                                                  • Instruction Fuzzy Hash: 1C1132B5C0065A9BCB10CF9AD844BDEFBB4FB48320F10812AE818B7240C774AA45CFA5
                                                                                                                                                  Function 06D62644 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • OutputDebugStringW.KERNELBASE(00000000), ref: 06D633C8
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1786384708.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_6d60000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DebugOutputString
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1166629820-0
                                                                                                                                                  • Opcode ID: 7493f11605a12a86aee814301f51ff0c38f01cd7c18ed14cfd8c045da19bbe5d
                                                                                                                                                  • Instruction ID: 5fc9f0309ff98266496fc1dfd164fc7d95bf0beb8e48bc7bcb69a918f61f48d9
                                                                                                                                                  • Opcode Fuzzy Hash: 7493f11605a12a86aee814301f51ff0c38f01cd7c18ed14cfd8c045da19bbe5d
                                                                                                                                                  • Instruction Fuzzy Hash: B71112B5D006599BCB10DF9AD444B9EFBB4EB48320F10812AE818B7240C774AA44CFE5
                                                                                                                                                  Function 06D6D278 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1786384708.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_6d60000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ResumeThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 947044025-0
                                                                                                                                                  • Opcode ID: 1c55542d02f4229b45ac2c90a757ed0159bd886a78c18c06aa94d4ccb95178f0
                                                                                                                                                  • Instruction ID: b18bcc288e6175dcc88dcc92a0321fea0944a5d0aa99919c76a819b15e89f4be
                                                                                                                                                  • Opcode Fuzzy Hash: 1c55542d02f4229b45ac2c90a757ed0159bd886a78c18c06aa94d4ccb95178f0
                                                                                                                                                  • Instruction Fuzzy Hash: 031134B19002498BCB20DFAAC44479EFBF5EF88320F20881AD459A7250CB74A544CB94
                                                                                                                                                  Function 06D6D840 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06D6D8AE
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1786384708.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_6d60000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                  • Opcode ID: 7a3dc6d9b6cf800a12162ef2a8310e7e8373c0e37e1a621c5fedc42cce4ee07a
                                                                                                                                                  • Instruction ID: 67ccee89aa0f01fba180022592263f26f8c07e7a100b5e621727b33b2914dd65
                                                                                                                                                  • Opcode Fuzzy Hash: 7a3dc6d9b6cf800a12162ef2a8310e7e8373c0e37e1a621c5fedc42cce4ee07a
                                                                                                                                                  • Instruction Fuzzy Hash: DE1126719002499FCB20DFAAC844BDEBBF5EF88320F108419E555A7260C775A544CFA0
                                                                                                                                                  Function 06D6D280 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1786384708.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_6d60000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ResumeThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 947044025-0
                                                                                                                                                  • Opcode ID: f054d68963feef749aebc65dbe7c58bdd79979109a3bf27b125a4121d0735b63
                                                                                                                                                  • Instruction ID: 025491921a644bcaa1ab3558d178de70754e9cab1bb138381df073d4eef4c9b4
                                                                                                                                                  • Opcode Fuzzy Hash: f054d68963feef749aebc65dbe7c58bdd79979109a3bf27b125a4121d0735b63
                                                                                                                                                  • Instruction Fuzzy Hash: 8D1128B1D003498FCB20DFAAC44579EFBF5AF88324F208419D459A7250CB75A544CB94
                                                                                                                                                  Function 0E6211D8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • PostMessageW.USER32(?,?,?,?), ref: 0E621235
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1794021269.000000000E620000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E620000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_e620000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePost
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 410705778-0
                                                                                                                                                  • Opcode ID: ff2cd8825a148f0b12129ff5c2b8f18a4484134e7b712950201c301eb49a1f24
                                                                                                                                                  • Instruction ID: 164f80f8acb994d35f1d2b4c0be27be64ebcb2459fa9858365934af0f5667681
                                                                                                                                                  • Opcode Fuzzy Hash: ff2cd8825a148f0b12129ff5c2b8f18a4484134e7b712950201c301eb49a1f24
                                                                                                                                                  • Instruction Fuzzy Hash: 3C1103B58003589FCB20CF9AD444BDEFBF8EB49320F108419E558A7200C375A984CFA1
                                                                                                                                                  Function 0271405C Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1771939653.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_2710000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 1F;
                                                                                                                                                  • API String ID: 0-3451934482
                                                                                                                                                  • Opcode ID: a528d84e1e849c088977e8d8e41ba66254e3973d5b7f50f85566f7cc608d7e80
                                                                                                                                                  • Instruction ID: a59b07b550cf2ca52c9a32917b88a4762d1c41533829fa44f07ef03ffa1ec660
                                                                                                                                                  • Opcode Fuzzy Hash: a528d84e1e849c088977e8d8e41ba66254e3973d5b7f50f85566f7cc608d7e80
                                                                                                                                                  • Instruction Fuzzy Hash: 274105B1D003099FDB20CFA9C9946DDBFB5AF58304F24802AD409BB211D775AA4ACF90
                                                                                                                                                  Function 06D62650 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CloseHandle.KERNELBASE(00000000), ref: 06D63467
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1786384708.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_6d60000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CloseHandle
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2962429428-0
                                                                                                                                                  • Opcode ID: a8fd12910ad42dc3917d4000eb90f6bb32f75c128fb5aaa2654f1acea34da40b
                                                                                                                                                  • Instruction ID: 6188221576ef03dca5d4a91d5c3e40538b50e28fbe51668d228801e7185e86a1
                                                                                                                                                  • Opcode Fuzzy Hash: a8fd12910ad42dc3917d4000eb90f6bb32f75c128fb5aaa2654f1acea34da40b
                                                                                                                                                  • Instruction Fuzzy Hash: 7C1128B1900249CFDB10DF9AC544BDEFBF4EB49324F108469E558A3250D779A944CFA5
                                                                                                                                                  Function 06D63403 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CloseHandle.KERNELBASE(00000000), ref: 06D63467
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1786384708.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_6d60000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CloseHandle
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2962429428-0
                                                                                                                                                  • Opcode ID: 4ddc2a6350890b50e89fdd2e891c7974b68835b8e2b527be70f8095f55ca6606
                                                                                                                                                  • Instruction ID: ceb7b06eb308db35cd7fa4b104a64660ff4e0d4c56e73677074ebcb29559a5af
                                                                                                                                                  • Opcode Fuzzy Hash: 4ddc2a6350890b50e89fdd2e891c7974b68835b8e2b527be70f8095f55ca6606
                                                                                                                                                  • Instruction Fuzzy Hash: F51136B1901249CFDB10DF9AD444BDEFBF4AF48324F20846AE458A3250C379A644CFA5
                                                                                                                                                  Function 0271A3C0 Relevance: .2, Instructions: 197COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1771939653.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_2710000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: bd224c56b99f9336663128e2d734e4b194a6e74d6462b23a95ffb10df0c50c12
                                                                                                                                                  • Instruction ID: 73f3a807e720da99a4bdebb4b940664fa98a53f68b1c6eada91901fdfa04943a
                                                                                                                                                  • Opcode Fuzzy Hash: bd224c56b99f9336663128e2d734e4b194a6e74d6462b23a95ffb10df0c50c12
                                                                                                                                                  • Instruction Fuzzy Hash: 8191D77191061ADFCB41DF68C880999FBF5FF49310B14C79AE819EB256E770E985CB80
                                                                                                                                                  Function 02719330 Relevance: .2, Instructions: 183COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1771939653.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_2710000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0fa19bf04728b1b365f35af7394f446c67ec1040df3686ba11a86863fa0b1eaa
                                                                                                                                                  • Instruction ID: 5701039ef56595211b3d59ed7aac77f9ff67bdb21399e928b548da489d35c840
                                                                                                                                                  • Opcode Fuzzy Hash: 0fa19bf04728b1b365f35af7394f446c67ec1040df3686ba11a86863fa0b1eaa
                                                                                                                                                  • Instruction Fuzzy Hash: E881CC79600A00CFC718DF29C498959BBF2BF893047158AA9E54ACB772DB32EC45CF50
                                                                                                                                                  Function 0271A3B3 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1771939653.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_2710000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 63c8a199140a704711a1b9262bdc08a787538897a8a4a90f6fc30661c49ecf54
                                                                                                                                                  • Instruction ID: 93c7063c4e91e80947aa981f179e0f601f9ca71ecd386d7cb366fc2404306561
                                                                                                                                                  • Opcode Fuzzy Hash: 63c8a199140a704711a1b9262bdc08a787538897a8a4a90f6fc30661c49ecf54
                                                                                                                                                  • Instruction Fuzzy Hash: 0161FA7191071ACFCB41DF68C880999FBB4FF49310B14D79AE859EB256EB70E985CB80
                                                                                                                                                  Function 02715200 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1771939653.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_2710000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2f751179bc995e6690aec32c5155152b3b10a0be00eaa38bfc1ab76e0c4f5e50
                                                                                                                                                  • Instruction ID: eac674336d2513c04a6eda556ad55421ee172df609e8e748ba40488a683a35ae
                                                                                                                                                  • Opcode Fuzzy Hash: 2f751179bc995e6690aec32c5155152b3b10a0be00eaa38bfc1ab76e0c4f5e50
                                                                                                                                                  • Instruction Fuzzy Hash: 8E314970E02218EFCB299FA4E5585EEBBB2FF88315F604569E49173294CB715865CF40
                                                                                                                                                  Function 0084D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1769566910.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_84d000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4792877f204dfcda75e2d736d682f0e9865ff4cee0595c8da019291ed2a0e7c1
                                                                                                                                                  • Instruction ID: d9298f4f0fee2af9a2fcaf6271dff027195bead7b97ecce041035e943c018627
                                                                                                                                                  • Opcode Fuzzy Hash: 4792877f204dfcda75e2d736d682f0e9865ff4cee0595c8da019291ed2a0e7c1
                                                                                                                                                  • Instruction Fuzzy Hash: E6213471600348DFCB05DF14D9C0B2BBF65FB98318F20C6A9E9098B256C736D856CBA2
                                                                                                                                                  Function 0085D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1769638857.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_85d000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 768e2ca0037b8fc39912e122b8d72e4d4222bad2d7a7e00bb0c248be809f2e3c
                                                                                                                                                  • Instruction ID: d2ed8257379c7bc3d1be748b1bf8c7e85faa999f1c0ce2e075a6f670b8941d36
                                                                                                                                                  • Opcode Fuzzy Hash: 768e2ca0037b8fc39912e122b8d72e4d4222bad2d7a7e00bb0c248be809f2e3c
                                                                                                                                                  • Instruction Fuzzy Hash: 49210471504304EFDB25DF14D9C0B26BBA5FB84319F20C66DEC098B396C37AE84ACA61
                                                                                                                                                  Function 0085D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1769638857.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_85d000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c086ab5b44fa26972e27be6074a3888082b33aff9bbba778fd39e0fdb2a53cbb
                                                                                                                                                  • Instruction ID: 692c54aa6bd2fcfd0dfbf5471052000ce4a88b25bf02cf8042dafd29cfee7922
                                                                                                                                                  • Opcode Fuzzy Hash: c086ab5b44fa26972e27be6074a3888082b33aff9bbba778fd39e0fdb2a53cbb
                                                                                                                                                  • Instruction Fuzzy Hash: 5E21D075604704DFDB24DF14D984B26BBA5FB84319F20C569DC0A8B296C33AD84BCA61
                                                                                                                                                  Function 0085D005 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1769638857.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_85d000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e7f6534e17e5a32c2e21340d8c06f739429e1bee78224e79ee57845977e2ea11
                                                                                                                                                  • Instruction ID: 23dc1b2c55645c75081f3aa42f84b0902eb39ba4aa541ec396c116fdf63406ba
                                                                                                                                                  • Opcode Fuzzy Hash: e7f6534e17e5a32c2e21340d8c06f739429e1bee78224e79ee57845977e2ea11
                                                                                                                                                  • Instruction Fuzzy Hash: D1219F755097808FDB12CF24D994B15BF71FB46314F28C5EADC498B6A7C33A980ACB62
                                                                                                                                                  Function 0084D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1769566910.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_84d000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                  • Instruction ID: 8340544fdcbbf10fcf4818afe80ba23a9efa2db84590b48a6fcf0bd0fc10b410
                                                                                                                                                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                  • Instruction Fuzzy Hash: F511D376504384CFCB16CF14D5C4B16BF71FB94318F24C6A9D8494B656C336D85ACBA1
                                                                                                                                                  Function 0085D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1769638857.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_85d000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                  • Instruction ID: 1b7c61f97e8fb75ddb625cac28400697fe8aa0f932e83eaef38ca3d03beb938c
                                                                                                                                                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                  • Instruction Fuzzy Hash: 06118B75504380DFDB16CF14D5C4B15BBA2FB84314F24C6AEDC498B696C33AE84ACB61
                                                                                                                                                  Function 02717046 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1771939653.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_2710000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 993424714a66112aad8f155c0c0c67f73b54542a4809528cc7ec5050c85ef504
                                                                                                                                                  • Instruction ID: 5b2e85671029ae687fd239101685ed2d63f7a8400f440c269fea4faf8c563cd2
                                                                                                                                                  • Opcode Fuzzy Hash: 993424714a66112aad8f155c0c0c67f73b54542a4809528cc7ec5050c85ef504
                                                                                                                                                  • Instruction Fuzzy Hash: 9501B5323402004FD7288A1DCC856697BD6EFC9314F2984B5E009DF3A6DB75DC058790
                                                                                                                                                  Function 027190E7 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1771939653.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_2710000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9f5ae15502f376d57ace78978b04aa3063ecc321ab59d6dc0bd3c63a826a75ce
                                                                                                                                                  • Instruction ID: 98b21d52173339d39ff1d2e7561fcd1b90ede2fbf2b346019d6c7bdb88235b7d
                                                                                                                                                  • Opcode Fuzzy Hash: 9f5ae15502f376d57ace78978b04aa3063ecc321ab59d6dc0bd3c63a826a75ce
                                                                                                                                                  • Instruction Fuzzy Hash: 18014B31204644CFC7059B2CD9A88597BF6AF4A70471944A9E146CB372DB62EC46CB40
                                                                                                                                                  Function 0271907F Relevance: .0, Instructions: 37COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1771939653.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_2710000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 34fdb3880553d050b7ff599c9cc921b55aaafd890ffca5dc9b0a821a6dfa9943
                                                                                                                                                  • Instruction ID: 730e552ad37a6943adcaa0c7c500796338a73997da3b3e76828ccf84d9ee2839
                                                                                                                                                  • Opcode Fuzzy Hash: 34fdb3880553d050b7ff599c9cc921b55aaafd890ffca5dc9b0a821a6dfa9943
                                                                                                                                                  • Instruction Fuzzy Hash: 4BF0BB723407564FC715572CA898D5AFFA9FF8622570587B9E20AC7262CE70DC4BC394
                                                                                                                                                  Function 02719090 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1771939653.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_2710000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 747f5d75dc54a06705813311ca3264481fbf6e587ae0aca93a16f4d1b8570e40
                                                                                                                                                  • Instruction ID: ca929e31baf27e62b83c51a528110f8f3fabbe298dda6c98ea5b36256986b7ea
                                                                                                                                                  • Opcode Fuzzy Hash: 747f5d75dc54a06705813311ca3264481fbf6e587ae0aca93a16f4d1b8570e40
                                                                                                                                                  • Instruction Fuzzy Hash: 34F054327406154F87149A6EE88485AF7E9EFC4275300463AE10AC7225DF71DC098790
                                                                                                                                                  Function 02715346 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000009.00000002.1771939653.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_9_2_2710000_xmAdkuQjxrS.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 8dffab1bb23ec664dfd3ada86e0ff5708f5d6aba243e8880cae03739d5126a3e
                                                                                                                                                  • Instruction ID: 9c2b9d66934db230b46e2209a9e6391763fc13a712f6bf169fedfec50e07bff1
                                                                                                                                                  • Opcode Fuzzy Hash: 8dffab1bb23ec664dfd3ada86e0ff5708f5d6aba243e8880cae03739d5126a3e
                                                                                                                                                  • Instruction Fuzzy Hash: 68E04FB295021DDBEB189B85F5047EEFF70FF8521AF200512D112B2550C7B10540CF91