Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z8eokahasflcrscooplasb.exe

Overview

General Information

Sample name:z8eokahasflcrscooplasb.exe
Analysis ID:1544269
MD5:1660c33123052f15e4e63891f23ddd1e
SHA1:3b93eb0499260f494066d6a28f1238c1c440b04f
SHA256:44ab353624b9e867ae31a0523437ed8e321f361d248b471c15bd2902255280f3
Tags:exeuser-Porcupine
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • z8eokahasflcrscooplasb.exe (PID: 6556 cmdline: "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe" MD5: 1660C33123052F15E4E63891F23DDD1E)
    • powershell.exe (PID: 7088 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7116 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 3244 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D16.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 3488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • z8eokahasflcrscooplasb.exe (PID: 4928 cmdline: "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe" MD5: 1660C33123052F15E4E63891F23DDD1E)
      • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • explorer.exe (PID: 6272 cmdline: "C:\Windows\SysWOW64\explorer.exe" MD5: DD6597597673F72E10C9DE7901FBA0A8)
          • cmd.exe (PID: 7072 cmdline: /c del "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 5568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • mstsc.exe (PID: 6892 cmdline: "C:\Windows\SysWOW64\mstsc.exe" MD5: EA4A02BE14C405327EEBA8D9AD2BD42C)
  • hmlPTospxjGJ.exe (PID: 4228 cmdline: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe MD5: 1660C33123052F15E4E63891F23DDD1E)
    • schtasks.exe (PID: 1284 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9CC5.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • hmlPTospxjGJ.exe (PID: 7044 cmdline: "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe" MD5: 1660C33123052F15E4E63891F23DDD1E)
  • cleanup
{"C2 list": ["www.31231851.xyz/dn13/"], "decoy": ["5q53s.top", "f9813.top", "ysticsmoke.net", "ignorysingeysquints.cfd", "yncsignature.live", "svp-their.xyz", "outya.xyz", "wlkflwef3sf2wf.top", "etterjugfetkaril.cfd", "p9eh2s99b5.top", "400108iqlnnqi219.top", "ynsu-condition.xyz", "ndividual-bfiaen.xyz", "anceibizamagazine.net", "itrussips.live", "orkcubefood.xyz", "lindsandfurnishings.shop", "ajwmid.top", "pigramescentfeatous.shop", "mbvcv56789.click", "rmei2-cnpj.website", "81uu.top", "cis.services", "ptionsxpress-17520.vip", "ltimatraceglow.vip", "apu4dmain.cfd", "hckc-sell.xyz", "nough-smae.xyz", "fsoiw-hotel.xyz", "mile-hkajwx.xyz", "ay-hbcsg.xyz", "articulart.net", "ozezae7.pro", "asy-jatcrz.xyz", "wiftsscend.click", "tinky.vip", "ould-ktlgl.xyz", "vagames.pro", "sncmk.shop", "trategy-eyewna.xyz", "orty.pro", "hanprojects.tech", "ronsoy.vip", "aoxiangwu.top", "8tsl.fashion", "ashersmeaningmellitz.cfd", "ood-packing-iasehq19x224.today", "oldier-zjfuu.xyz", "ysterywarrior932.top", "omercialec.shop", "ashclub.xyz", "trongenergetichealth.top", "addedcaitiffcanzos.shop", "ack-gtiij.xyz", "nformation-gdrs.xyz", "ouwmsoe.top", "apermatepens.net", "5i34whsisp.top", "appen-zuxs.xyz", "trennebaffinbayamon.cfd", "nablerententeewart.shop", "xpert-private-tutors.today", "zzw-tv.xyz", "ffvd-traditional.xyz"]}
SourceRuleDescriptionAuthorStrings
00000007.00000002.4152196445.000000000E839000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_772cc62dunknownunknown
  • 0xa82:$a2: pass
  • 0xa88:$a3: email
  • 0xa8f:$a4: login
  • 0xa96:$a5: signin
  • 0xaa7:$a6: persistent
  • 0xc7a:$r1: C:\Users\user\AppData\Roaming\88O31DTQ\88Olog.ini
0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 38 entries
      SourceRuleDescriptionAuthorStrings
      6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18809:$sqlite3step: 68 34 1C 7B E1
          • 0x1891c:$sqlite3step: 68 34 1C 7B E1
          • 0x18838:$sqlite3text: 68 38 2A 90 C5
          • 0x1895d:$sqlite3text: 68 38 2A 90 C5
          • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 25 entries

          System Summary

          barindex
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe", ParentImage: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe, ParentProcessId: 6556, ParentProcessName: z8eokahasflcrscooplasb.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe", ProcessId: 7088, ProcessName: powershell.exe
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe", ParentImage: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe, ParentProcessId: 6556, ParentProcessName: z8eokahasflcrscooplasb.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe", ProcessId: 7088, ProcessName: powershell.exe
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9CC5.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9CC5.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe, ParentImage: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe, ParentProcessId: 4228, ParentProcessName: hmlPTospxjGJ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9CC5.tmp", ProcessId: 1284, ProcessName: schtasks.exe
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D16.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D16.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe", ParentImage: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe, ParentProcessId: 6556, ParentProcessName: z8eokahasflcrscooplasb.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D16.tmp", ProcessId: 3244, ProcessName: schtasks.exe
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe", ParentImage: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe, ParentProcessId: 6556, ParentProcessName: z8eokahasflcrscooplasb.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe", ProcessId: 7088, ProcessName: powershell.exe

          Persistence and Installation Behavior

          barindex
          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D16.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D16.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe", ParentImage: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe, ParentProcessId: 6556, ParentProcessName: z8eokahasflcrscooplasb.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D16.tmp", ProcessId: 3244, ProcessName: schtasks.exe
          No Suricata rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: z8eokahasflcrscooplasb.exeAvira: detected
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeAvira: detection malicious, Label: HEUR/AGEN.1309540
          Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.31231851.xyz/dn13/"], "decoy": ["5q53s.top", "f9813.top", "ysticsmoke.net", "ignorysingeysquints.cfd", "yncsignature.live", "svp-their.xyz", "outya.xyz", "wlkflwef3sf2wf.top", "etterjugfetkaril.cfd", "p9eh2s99b5.top", "400108iqlnnqi219.top", "ynsu-condition.xyz", "ndividual-bfiaen.xyz", "anceibizamagazine.net", "itrussips.live", "orkcubefood.xyz", "lindsandfurnishings.shop", "ajwmid.top", "pigramescentfeatous.shop", "mbvcv56789.click", "rmei2-cnpj.website", "81uu.top", "cis.services", "ptionsxpress-17520.vip", "ltimatraceglow.vip", "apu4dmain.cfd", "hckc-sell.xyz", "nough-smae.xyz", "fsoiw-hotel.xyz", "mile-hkajwx.xyz", "ay-hbcsg.xyz", "articulart.net", "ozezae7.pro", "asy-jatcrz.xyz", "wiftsscend.click", "tinky.vip", "ould-ktlgl.xyz", "vagames.pro", "sncmk.shop", "trategy-eyewna.xyz", "orty.pro", "hanprojects.tech", "ronsoy.vip", "aoxiangwu.top", "8tsl.fashion", "ashersmeaningmellitz.cfd", "ood-packing-iasehq19x224.today", "oldier-zjfuu.xyz", "ysterywarrior932.top", "omercialec.shop", "ashclub.xyz", "trongenergetichealth.top", "addedcaitiffcanzos.shop", "ack-gtiij.xyz", "nformation-gdrs.xyz", "ouwmsoe.top", "apermatepens.net", "5i34whsisp.top", "appen-zuxs.xyz", "trennebaffinbayamon.cfd", "nablerententeewart.shop", "xpert-private-tutors.today", "zzw-tv.xyz", "ffvd-traditional.xyz"]}
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeReversingLabs: Detection: 42%
          Source: z8eokahasflcrscooplasb.exeReversingLabs: Detection: 42%
          Source: z8eokahasflcrscooplasb.exeVirustotal: Detection: 50%Perma Link
          Source: Yara matchFile source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeJoe Sandbox ML: detected
          Source: z8eokahasflcrscooplasb.exeJoe Sandbox ML: detected
          Source: z8eokahasflcrscooplasb.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: z8eokahasflcrscooplasb.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: explorer.pdbUGP source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1781377262.0000000003050000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4140142855.0000000000B10000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1778225817.0000000004E29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1780381042.0000000004FDB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4143177076.0000000005190000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4143177076.000000000532E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000003.1794487562.0000000004287000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1799219237.00000000045E0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1799219237.000000000477E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000003.1797005090.000000000443A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: z8eokahasflcrscooplasb.exe, z8eokahasflcrscooplasb.exe, 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1778225817.0000000004E29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1780381042.0000000004FDB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4143177076.0000000005190000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4143177076.000000000532E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000003.1794487562.0000000004287000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1799219237.00000000045E0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1799219237.000000000477E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000003.1797005090.000000000443A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mstsc.pdbGCTL source: hmlPTospxjGJ.exe, 0000000D.00000002.1804332012.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1798826688.0000000000B30000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: explorer.pdb source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1781377262.0000000003050000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4140142855.0000000000B10000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: mstsc.pdb source: hmlPTospxjGJ.exe, 0000000D.00000002.1804332012.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1798826688.0000000000B30000.00000040.80000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULLJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\NULLJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 4x nop then jmp 07F86DDAh0_2_07F872B6
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 4x nop then pop esi6_2_004172E7
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 4x nop then jmp 0D546312h8_2_0D5467EE

          Networking

          barindex
          Source: Malware configuration extractorURLs: www.31231851.xyz/dn13/
          Source: DNS query: www.mile-hkajwx.xyz
          Source: unknownDNS traffic detected: query: www.ood-packing-iasehq19x224.today replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ozezae7.pro replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.f9813.top replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.anceibizamagazine.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.orty.pro replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.mile-hkajwx.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.pigramescentfeatous.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.lindsandfurnishings.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ysticsmoke.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ysterywarrior932.top replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.wlkflwef3sf2wf.top replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ood-packing-iasehq19x224.today replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ozezae7.pro replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.f9813.top replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.anceibizamagazine.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.orty.pro replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.mile-hkajwx.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.pigramescentfeatous.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.lindsandfurnishings.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ysticsmoke.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ysterywarrior932.top replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.wlkflwef3sf2wf.top replaycode: Name error (3)
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: www.ysterywarrior932.top
          Source: global trafficDNS traffic detected: DNS query: www.mile-hkajwx.xyz
          Source: global trafficDNS traffic detected: DNS query: www.ood-packing-iasehq19x224.today
          Source: global trafficDNS traffic detected: DNS query: www.wlkflwef3sf2wf.top
          Source: global trafficDNS traffic detected: DNS query: www.anceibizamagazine.net
          Source: global trafficDNS traffic detected: DNS query: www.ozezae7.pro
          Source: global trafficDNS traffic detected: DNS query: www.orty.pro
          Source: global trafficDNS traffic detected: DNS query: www.lindsandfurnishings.shop
          Source: global trafficDNS traffic detected: DNS query: www.ysticsmoke.net
          Source: global trafficDNS traffic detected: DNS query: www.pigramescentfeatous.shop
          Source: global trafficDNS traffic detected: DNS query: www.f9813.top
          Source: explorer.exe, 00000007.00000002.4147605314.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3112970647.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000007.00000002.4147605314.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3112970647.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000007.00000002.4147605314.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3112970647.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000007.00000002.4147605314.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3112970647.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000007.00000002.4144709532.00000000078A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000007.00000002.4147007457.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4148545667.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4146548295.0000000007F40000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1737247647.0000000003572000.00000004.00000800.00020000.00000000.sdmp, hmlPTospxjGJ.exe, 00000008.00000002.1779409471.0000000003140000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.31231851.xyz
          Source: explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.31231851.xyz/dn13/
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.31231851.xyzReferer:
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.anceibizamagazine.net
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.anceibizamagazine.net/dn13/
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.anceibizamagazine.net/dn13/www.ozezae7.pro
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.anceibizamagazine.netReferer:
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ashclub.xyz
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ashclub.xyz/dn13/
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ashclub.xyz/dn13/www.p9eh2s99b5.top
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ashclub.xyzReferer:
          Source: explorer.exe, 00000007.00000003.3110687045.000000000C9AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151466263.000000000C9AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108517681.000000000C9A5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485621993.000000000C9AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1736493405.000000000C964000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.f9813.top
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.f9813.top/dn13/
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.f9813.top/dn13/www.trennebaffinbayamon.cfd
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.f9813.topReferer:
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lindsandfurnishings.shop
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lindsandfurnishings.shop/dn13/
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lindsandfurnishings.shop/dn13/www.ysticsmoke.net
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lindsandfurnishings.shopReferer:
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mile-hkajwx.xyz
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mile-hkajwx.xyz/dn13/
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mile-hkajwx.xyz/dn13/www.ood-packing-iasehq19x224.today
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mile-hkajwx.xyzReferer:
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ood-packing-iasehq19x224.today
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ood-packing-iasehq19x224.today/dn13/
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ood-packing-iasehq19x224.today/dn13/www.wlkflwef3sf2wf.top
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ood-packing-iasehq19x224.todayReferer:
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.orty.pro
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.orty.pro/dn13/
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.orty.pro/dn13/www.lindsandfurnishings.shop
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.orty.proReferer:
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.outya.xyz
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.outya.xyz/dn13/
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.outya.xyz/dn13/www.f9813.top
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.outya.xyzReferer:
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ozezae7.pro
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ozezae7.pro/dn13/
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ozezae7.pro/dn13/www.orty.pro
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ozezae7.proReferer:
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.p9eh2s99b5.top
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.p9eh2s99b5.top/dn13/
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.p9eh2s99b5.top/dn13/www.31231851.xyz
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.p9eh2s99b5.topReferer:
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pigramescentfeatous.shop
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pigramescentfeatous.shop/dn13/
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pigramescentfeatous.shop/dn13/www.outya.xyz
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pigramescentfeatous.shopReferer:
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741017878.0000000005D14000.00000004.00000020.00020000.00000000.sdmp, z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.trennebaffinbayamon.cfd
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.trennebaffinbayamon.cfd/dn13/
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.trennebaffinbayamon.cfd/dn13/www.ashclub.xyz
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.trennebaffinbayamon.cfdReferer:
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wlkflwef3sf2wf.top
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wlkflwef3sf2wf.top/dn13/
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wlkflwef3sf2wf.top/dn13/www.anceibizamagazine.net
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wlkflwef3sf2wf.topReferer:
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ysterywarrior932.top
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ysterywarrior932.top/dn13/
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ysterywarrior932.top/dn13/www.mile-hkajwx.xyz
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ysterywarrior932.topReferer:
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ysticsmoke.net
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ysticsmoke.net/dn13/
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ysticsmoke.net/dn13/www.pigramescentfeatous.shop
          Source: explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ysticsmoke.netReferer:
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 00000007.00000003.3110797722.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1736493405.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
          Source: explorer.exe, 00000007.00000002.4144709532.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
          Source: explorer.exe, 00000007.00000002.4144709532.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
          Source: explorer.exe, 00000007.00000000.1736493405.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000007.00000003.3112970647.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4147605314.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000007.00000003.3112970647.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4147605314.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
          Source: explorer.exe, 00000007.00000002.4142329980.000000000370D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1718357985.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4140317801.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1717337994.0000000001240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000007.00000002.4147605314.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3112970647.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
          Source: explorer.exe, 00000007.00000003.3112970647.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4147605314.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000007.00000002.4147605314.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3112970647.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
          Source: explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
          Source: explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000007.00000002.4144709532.00000000078A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
          Source: explorer.exe, 00000007.00000002.4144709532.00000000078A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
          Source: explorer.exe, 00000007.00000000.1736493405.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4150366155.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111370525.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3486378927.000000000C5E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
          Source: explorer.exe, 00000007.00000002.4144709532.00000000078A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
          Source: explorer.exe, 00000007.00000000.1736493405.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4150366155.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111370525.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3486378927.000000000C5E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
          Source: explorer.exe, 00000007.00000000.1736493405.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4150366155.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111370525.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3486378927.000000000C5E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000007.00000002.4150366155.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
          Source: explorer.exe, 00000007.00000000.1736493405.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4150366155.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111370525.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3486378927.000000000C5E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
          Source: explorer.exe, 00000007.00000002.4144709532.00000000078A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
          Source: explorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
          Source: explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

          E-Banking Fraud

          barindex
          Source: Yara matchFile source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.4152196445.000000000E839000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: z8eokahasflcrscooplasb.exe PID: 6556, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: z8eokahasflcrscooplasb.exe PID: 4928, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: hmlPTospxjGJ.exe PID: 4228, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: explorer.exe PID: 6272, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: mstsc.exe PID: 6892, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_094A3B8C NtQueryInformationProcess,0_2_094A3B8C
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_094A8BB8 NtQueryInformationProcess,0_2_094A8BB8
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_094A8C00 NtQueryInformationProcess,0_2_094A8C00
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0041A320 NtCreateFile,6_2_0041A320
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0041A3D0 NtReadFile,6_2_0041A3D0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0041A450 NtClose,6_2_0041A450
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0041A500 NtAllocateVirtualMemory,6_2_0041A500
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0041A3CF NtReadFile,6_2_0041A3CF
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0041A4FA NtAllocateVirtualMemory,6_2_0041A4FA
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362B60 NtClose,LdrInitializeThunk,6_2_01362B60
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_01362BF0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362AD0 NtReadFile,LdrInitializeThunk,6_2_01362AD0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_01362D30
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362D10 NtMapViewOfSection,LdrInitializeThunk,6_2_01362D10
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_01362DF0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362DD0 NtDelayExecution,LdrInitializeThunk,6_2_01362DD0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_01362C70
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_01362CA0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362F30 NtCreateSection,LdrInitializeThunk,6_2_01362F30
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362FB0 NtResumeThread,LdrInitializeThunk,6_2_01362FB0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362F90 NtProtectVirtualMemory,LdrInitializeThunk,6_2_01362F90
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362FE0 NtCreateFile,LdrInitializeThunk,6_2_01362FE0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_01362EA0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_01362E80
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01364340 NtSetContextThread,6_2_01364340
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01364650 NtSuspendThread,6_2_01364650
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362BA0 NtEnumerateValueKey,6_2_01362BA0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362B80 NtQueryInformationFile,6_2_01362B80
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362BE0 NtQueryValueKey,6_2_01362BE0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362AB0 NtWaitForSingleObject,6_2_01362AB0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362AF0 NtWriteFile,6_2_01362AF0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362D00 NtSetInformationFile,6_2_01362D00
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362DB0 NtEnumerateKey,6_2_01362DB0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362C00 NtQueryInformationProcess,6_2_01362C00
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362C60 NtCreateKey,6_2_01362C60
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362CF0 NtOpenProcess,6_2_01362CF0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362CC0 NtQueryVirtualMemory,6_2_01362CC0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362F60 NtCreateProcessEx,6_2_01362F60
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362FA0 NtQuerySection,6_2_01362FA0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362E30 NtWriteVirtualMemory,6_2_01362E30
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362EE0 NtQueueApcThread,6_2_01362EE0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01363010 NtOpenDirectoryObject,6_2_01363010
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01363090 NtSetValueKey,6_2_01363090
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013635C0 NtCreateMutant,6_2_013635C0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013639B0 NtGetContextThread,6_2_013639B0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01363D10 NtOpenProcessToken,6_2_01363D10
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01363D70 NtOpenThread,6_2_01363D70
          Source: C:\Windows\explorer.exeCode function: 7_2_0E822E12 NtProtectVirtualMemory,7_2_0E822E12
          Source: C:\Windows\explorer.exeCode function: 7_2_0E821232 NtCreateFile,7_2_0E821232
          Source: C:\Windows\explorer.exeCode function: 7_2_0E822E0A NtProtectVirtualMemory,7_2_0E822E0A
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_07543B8C NtQueryInformationProcess,8_2_07543B8C
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_07548C00 NtQueryInformationProcess,8_2_07548C00
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_07548BB8 NtQueryInformationProcess,8_2_07548BB8
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_030BD3C40_2_030BD3C4
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_057D74380_2_057D7438
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_057D00400_2_057D0040
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_057D00070_2_057D0007
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_057D742A0_2_057D742A
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_07C7E1000_2_07C7E100
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_07C7E7D80_2_07C7E7D8
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_07C7133C0_2_07C7133C
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_07C7E0F10_2_07C7E0F1
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_07F888180_2_07F88818
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_07F82BEF0_2_07F82BEF
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_07F827C80_2_07F827C8
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_07F803100_2_07F80310
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_07F815280_2_07F81528
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_07F810F00_2_07F810F0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_07F80CB80_2_07F80CB8
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_07F82C000_2_07F82C00
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_094A4C210_2_094A4C21
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_094A5EF80_2_094A5EF8
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_094AA9FF0_2_094AA9FF
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_094A7BE00_2_094A7BE0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_094AAA100_2_094AAA10
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_094A8D880_2_094A8D88
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_094A80180_2_094A8018
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_094A84D80_2_094A84D8
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_094AA7780_2_094AA778
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_094AA7880_2_094AA788
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0040102B6_2_0040102B
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_004010306_2_00401030
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0041D8C46_2_0041D8C4
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0041DCC26_2_0041DCC2
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_00402D906_2_00402D90
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_00409E4C6_2_00409E4C
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_00409E506_2_00409E50
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_00402FB06_2_00402FB0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CA1186_2_013CA118
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013201006_2_01320100
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013B81586_2_013B8158
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F01AA6_2_013F01AA
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013E41A26_2_013E41A2
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013E81CC6_2_013E81CC
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013C20006_2_013C2000
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013EA3526_2_013EA352
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0133E3F06_2_0133E3F0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F03E66_2_013F03E6
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013D02746_2_013D0274
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013B02C06_2_013B02C0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013305356_2_01330535
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F05916_2_013F0591
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013D44206_2_013D4420
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013E24466_2_013E2446
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013DE4F66_2_013DE4F6
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013307706_2_01330770
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013547506_2_01354750
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132C7C06_2_0132C7C0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134C6E06_2_0134C6E0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013469626_2_01346962
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013329A06_2_013329A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013FA9A66_2_013FA9A6
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0133A8406_2_0133A840
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013328406_2_01332840
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013168B86_2_013168B8
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135E8F06_2_0135E8F0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013EAB406_2_013EAB40
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013E6BD76_2_013E6BD7
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132EA806_2_0132EA80
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CCD1F6_2_013CCD1F
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0133AD006_2_0133AD00
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01348DBF6_2_01348DBF
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132ADE06_2_0132ADE0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01330C006_2_01330C00
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013D0CB56_2_013D0CB5
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01320CF26_2_01320CF2
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01350F306_2_01350F30
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013D2F306_2_013D2F30
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01372F286_2_01372F28
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A4F406_2_013A4F40
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013AEFA06_2_013AEFA0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01322FC86_2_01322FC8
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013EEE266_2_013EEE26
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01330E596_2_01330E59
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01342E906_2_01342E90
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013ECE936_2_013ECE93
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013EEEDB6_2_013EEEDB
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0131F1726_2_0131F172
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013FB16B6_2_013FB16B
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0136516C6_2_0136516C
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0133B1B06_2_0133B1B0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013E70E96_2_013E70E9
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013EF0E06_2_013EF0E0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013DF0CC6_2_013DF0CC
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013370C06_2_013370C0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013E132D6_2_013E132D
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0131D34C6_2_0131D34C
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0137739A6_2_0137739A
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013352A06_2_013352A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134D2F06_2_0134D2F0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013D12ED6_2_013D12ED
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134B2C06_2_0134B2C0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013E75716_2_013E7571
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CD5B06_2_013CD5B0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F95C36_2_013F95C3
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013EF43F6_2_013EF43F
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013214606_2_01321460
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013EF7B06_2_013EF7B0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013756306_2_01375630
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013E16CC6_2_013E16CC
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013C59106_2_013C5910
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013399506_2_01339950
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134B9506_2_0134B950
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139D8006_2_0139D800
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013338E06_2_013338E0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013EFB766_2_013EFB76
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134FB806_2_0134FB80
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A5BF06_2_013A5BF0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0136DBF96_2_0136DBF9
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A3A6C6_2_013A3A6C
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013EFA496_2_013EFA49
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013E7A466_2_013E7A46
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CDAAC6_2_013CDAAC
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01375AA06_2_01375AA0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013D1AA36_2_013D1AA3
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013DDAC66_2_013DDAC6
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013E7D736_2_013E7D73
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013E1D5A6_2_013E1D5A
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01333D406_2_01333D40
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134FDC06_2_0134FDC0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A9C326_2_013A9C32
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013EFCF26_2_013EFCF2
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013EFF096_2_013EFF09
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013EFFB16_2_013EFFB1
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01331F926_2_01331F92
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_012F3FD56_2_012F3FD5
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_012F3FD26_2_012F3FD2
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01339EB06_2_01339EB0
          Source: C:\Windows\explorer.exeCode function: 7_2_0E5AA2327_2_0E5AA232
          Source: C:\Windows\explorer.exeCode function: 7_2_0E5A4B327_2_0E5A4B32
          Source: C:\Windows\explorer.exeCode function: 7_2_0E5A4B307_2_0E5A4B30
          Source: C:\Windows\explorer.exeCode function: 7_2_0E5A90367_2_0E5A9036
          Source: C:\Windows\explorer.exeCode function: 7_2_0E5A00827_2_0E5A0082
          Source: C:\Windows\explorer.exeCode function: 7_2_0E5A79127_2_0E5A7912
          Source: C:\Windows\explorer.exeCode function: 7_2_0E5A1D027_2_0E5A1D02
          Source: C:\Windows\explorer.exeCode function: 7_2_0E5AD5CD7_2_0E5AD5CD
          Source: C:\Windows\explorer.exeCode function: 7_2_0E8212327_2_0E821232
          Source: C:\Windows\explorer.exeCode function: 7_2_0E8170827_2_0E817082
          Source: C:\Windows\explorer.exeCode function: 7_2_0E8200367_2_0E820036
          Source: C:\Windows\explorer.exeCode function: 7_2_0E8245CD7_2_0E8245CD
          Source: C:\Windows\explorer.exeCode function: 7_2_0E818D027_2_0E818D02
          Source: C:\Windows\explorer.exeCode function: 7_2_0E81E9127_2_0E81E912
          Source: C:\Windows\explorer.exeCode function: 7_2_0E81BB307_2_0E81BB30
          Source: C:\Windows\explorer.exeCode function: 7_2_0E81BB327_2_0E81BB32
          Source: C:\Windows\explorer.exeCode function: 7_2_0FD1DB307_2_0FD1DB30
          Source: C:\Windows\explorer.exeCode function: 7_2_0FD1DB327_2_0FD1DB32
          Source: C:\Windows\explorer.exeCode function: 7_2_0FD232327_2_0FD23232
          Source: C:\Windows\explorer.exeCode function: 7_2_0FD265CD7_2_0FD265CD
          Source: C:\Windows\explorer.exeCode function: 7_2_0FD209127_2_0FD20912
          Source: C:\Windows\explorer.exeCode function: 7_2_0FD1AD027_2_0FD1AD02
          Source: C:\Windows\explorer.exeCode function: 7_2_0FD190827_2_0FD19082
          Source: C:\Windows\explorer.exeCode function: 7_2_0FD220367_2_0FD22036
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_014BD3C48_2_014BD3C4
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_054A74388_2_054A7438
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_054A00408_2_054A0040
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_054A00068_2_054A0006
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_054A742A8_2_054A742A
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_0747E1008_2_0747E100
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_0747E7D88_2_0747E7D8
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_075484388_2_07548438
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_07545F008_2_07545F00
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_07544C308_2_07544C30
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_0754A7788_2_0754A778
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_0754A7888_2_0754A788
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_07547F788_2_07547F78
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_07545EF28_2_07545EF2
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_07548D888_2_07548D88
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_07544C218_2_07544C21
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_07547B408_2_07547B40
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_0754AA108_2_0754AA10
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_0754A9FF8_2_0754A9FF
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_0D547D588_2_0D547D58
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_0D5415288_2_0D541528
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_0D542C008_2_0D542C00
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_0D5410F08_2_0D5410F0
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_0D540C848_2_0D540C84
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_0D540CB88_2_0D540CB8
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_0D5427C88_2_0D5427C8
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_0D542BEF8_2_0D542BEF
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: String function: 013AF290 appears 103 times
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: String function: 01365130 appears 58 times
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: String function: 0139EA12 appears 86 times
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: String function: 01377E54 appears 107 times
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: String function: 0131B970 appears 262 times
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000000.1690667748.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameGUyZ.exe" vs z8eokahasflcrscooplasb.exe
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1735007844.000000000149E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs z8eokahasflcrscooplasb.exe
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs z8eokahasflcrscooplasb.exe
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1742886010.0000000007EF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs z8eokahasflcrscooplasb.exe
          Source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1781377262.0000000003050000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: \[FileVersionLegalCopyrightOriginalFilenameInternalNameCompanyNameProductNameProductVersionFileDescription vs z8eokahasflcrscooplasb.exe
          Source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1778983247.000000000141D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs z8eokahasflcrscooplasb.exe
          Source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1781377262.0000000003471000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXEj% vs z8eokahasflcrscooplasb.exe
          Source: z8eokahasflcrscooplasb.exeBinary or memory string: OriginalFilenameGUyZ.exe" vs z8eokahasflcrscooplasb.exe
          Source: z8eokahasflcrscooplasb.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.4152196445.000000000E839000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: z8eokahasflcrscooplasb.exe PID: 6556, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: z8eokahasflcrscooplasb.exe PID: 4928, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: hmlPTospxjGJ.exe PID: 4228, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: explorer.exe PID: 6272, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: mstsc.exe PID: 6892, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: z8eokahasflcrscooplasb.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: hmlPTospxjGJ.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, jNYRDG971dk7SO4v5G.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, jNYRDG971dk7SO4v5G.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, jNYRDG971dk7SO4v5G.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, jNYRDG971dk7SO4v5G.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, DHOsMMb33pVMGnPfHl.csSecurity API names: _0020.SetAccessControl
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, DHOsMMb33pVMGnPfHl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, DHOsMMb33pVMGnPfHl.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, DHOsMMb33pVMGnPfHl.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, DHOsMMb33pVMGnPfHl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, DHOsMMb33pVMGnPfHl.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, jNYRDG971dk7SO4v5G.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, DHOsMMb33pVMGnPfHl.csSecurity API names: _0020.SetAccessControl
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, DHOsMMb33pVMGnPfHl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, DHOsMMb33pVMGnPfHl.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, DHOsMMb33pVMGnPfHl.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, DHOsMMb33pVMGnPfHl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, DHOsMMb33pVMGnPfHl.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, DHOsMMb33pVMGnPfHl.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, DHOsMMb33pVMGnPfHl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, DHOsMMb33pVMGnPfHl.csSecurity API names: _0020.AddAccessRule
          Source: classification engineClassification label: mal100.troj.evad.winEXE@275/11@11/0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeFile created: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_03
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5568:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3488:120:WilError_03
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeMutant created: \Sessions\1\BaseNamedObjects\TshhkPVhzWqKSHWyhPH
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8D16.tmpJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
          Source: z8eokahasflcrscooplasb.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: z8eokahasflcrscooplasb.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: z8eokahasflcrscooplasb.exeReversingLabs: Detection: 42%
          Source: z8eokahasflcrscooplasb.exeVirustotal: Detection: 50%
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeFile read: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe"
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D16.tmp"
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess created: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe"
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\SysWOW64\explorer.exe"
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9CC5.tmp"
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess created: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"Jump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D16.tmp"Jump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess created: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\SysWOW64\explorer.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9CC5.tmp"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess created: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe"
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: iconcodecservice.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: iconcodecservice.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dll
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: winhttp.dll
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: credui.dll
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: secur32.dll
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: cryptui.dll
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: wininet.dll
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: version.dll
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: netapi32.dll
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: winmm.dll
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: ktmw32.dll
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: cryptbase.dll
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: sspicli.dll
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: netutils.dll
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: wkscli.dll
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: z8eokahasflcrscooplasb.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: z8eokahasflcrscooplasb.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: explorer.pdbUGP source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1781377262.0000000003050000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4140142855.0000000000B10000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1778225817.0000000004E29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1780381042.0000000004FDB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4143177076.0000000005190000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4143177076.000000000532E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000003.1794487562.0000000004287000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1799219237.00000000045E0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1799219237.000000000477E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000003.1797005090.000000000443A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: z8eokahasflcrscooplasb.exe, z8eokahasflcrscooplasb.exe, 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1778225817.0000000004E29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1780381042.0000000004FDB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4143177076.0000000005190000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4143177076.000000000532E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000003.1794487562.0000000004287000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1799219237.00000000045E0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1799219237.000000000477E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000E.00000003.1797005090.000000000443A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mstsc.pdbGCTL source: hmlPTospxjGJ.exe, 0000000D.00000002.1804332012.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1798826688.0000000000B30000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: explorer.pdb source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1781377262.0000000003050000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4140142855.0000000000B10000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: mstsc.pdb source: hmlPTospxjGJ.exe, 0000000D.00000002.1804332012.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000E.00000002.1798826688.0000000000B30000.00000040.80000000.00040000.00000000.sdmp

          Data Obfuscation

          barindex
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, DHOsMMb33pVMGnPfHl.cs.Net Code: Mo79yQDks1 System.Reflection.Assembly.Load(byte[])
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, DHOsMMb33pVMGnPfHl.cs.Net Code: Mo79yQDks1 System.Reflection.Assembly.Load(byte[])
          Source: 0.2.z8eokahasflcrscooplasb.exe.5e70000.2.raw.unpack, Uo.cs.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, DHOsMMb33pVMGnPfHl.cs.Net Code: Mo79yQDks1 System.Reflection.Assembly.Load(byte[])
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, DHOsMMb33pVMGnPfHl.cs.Net Code: Mo79yQDks1 System.Reflection.Assembly.Load(byte[])
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, DHOsMMb33pVMGnPfHl.cs.Net Code: Mo79yQDks1 System.Reflection.Assembly.Load(byte[])
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_030BF550 pushfd ; iretd 0_2_030BF551
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_058CE4D0 pushfd ; retf 0_2_058CE4D9
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_058C9A38 push eax; mov dword ptr [esp], ecx0_2_058C9A3C
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 0_2_07C7A656 push FFFFFF8Bh; iretd 0_2_07C7A65A
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0040E851 push es; ret 6_2_0040E852
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0040E32C push ecx; retf 6_2_0040E32D
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_00416BE6 push FFFFFF97h; retf 6_2_00416BEB
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0041D475 push eax; ret 6_2_0041D4C8
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0041D4C2 push eax; ret 6_2_0041D4C8
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0041D4CB push eax; ret 6_2_0041D532
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0041D52C push eax; ret 6_2_0041D532
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_012F225F pushad ; ret 6_2_012F27F9
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_012F27FA pushad ; ret 6_2_012F27F9
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013209AD push ecx; mov dword ptr [esp], ecx6_2_013209B6
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_012F283D push eax; iretd 6_2_012F2858
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_012F1368 push eax; iretd 6_2_012F1369
          Source: C:\Windows\explorer.exeCode function: 7_2_0E5ADB1E push esp; retn 0000h7_2_0E5ADB1F
          Source: C:\Windows\explorer.exeCode function: 7_2_0E5ADB02 push esp; retn 0000h7_2_0E5ADB03
          Source: C:\Windows\explorer.exeCode function: 7_2_0E5AD9B5 push esp; retn 0000h7_2_0E5ADAE7
          Source: C:\Windows\explorer.exeCode function: 7_2_0E8249B5 push esp; retn 0000h7_2_0E824AE7
          Source: C:\Windows\explorer.exeCode function: 7_2_0E824B02 push esp; retn 0000h7_2_0E824B03
          Source: C:\Windows\explorer.exeCode function: 7_2_0E824B1E push esp; retn 0000h7_2_0E824B1F
          Source: C:\Windows\explorer.exeCode function: 7_2_0FD26B1E push esp; retn 0000h7_2_0FD26B1F
          Source: C:\Windows\explorer.exeCode function: 7_2_0FD26B02 push esp; retn 0000h7_2_0FD26B03
          Source: C:\Windows\explorer.exeCode function: 7_2_0FD269B5 push esp; retn 0000h7_2_0FD26AE7
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_014BF552 push esp; iretd 8_2_014BF559
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_014BF550 pushfd ; iretd 8_2_014BF551
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_0747A658 push FFFFFF8Bh; iretd 8_2_0747A65A
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeCode function: 8_2_07475430 push eax; ret 8_2_07475471
          Source: z8eokahasflcrscooplasb.exeStatic PE information: section name: .text entropy: 7.682191163103425
          Source: hmlPTospxjGJ.exe.0.drStatic PE information: section name: .text entropy: 7.682191163103425
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, nje90hqm69TkyRcnXC.csHigh entropy of concatenated method names: 'Dispose', 'THBAhc9Q15', 'ofLUDbVv2K', 'ifwWWnSVAQ', 'Lr9AoYLiEN', 'fAPAzwuv0I', 'ProcessDialogKey', 'pUxUH1xUje', 'nD5UA7RqH2', 'glHUUdqFLi'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, DHOsMMb33pVMGnPfHl.csHigh entropy of concatenated method names: 'tIFqiJtAi9', 'cUIqIAMMbt', 'y5nqG3aSKm', 'xcDq7WaVZe', 'RoOqTk6RF7', 'v1AqCxrJ54', 'sA8qtiPQKM', 'eQoqmgONin', 'M9oq0vpcBl', 'bojqc2itUP'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, F11h69LqNbPf7b3XvB.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TuKUhfyLRE', 'EGbUow4QXW', 'lKGUznWyba', 'BS6qHnbr47', 'lmjqAhYLZK', 'cd2qUVX2Db', 'sosqqpkeLM', 'g7bZxRub5uvmHvCOyfc'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, a7JefkT7Z2TtvZZnlq.csHigh entropy of concatenated method names: 'mSHCiJ0sFc', 'zspCGcQ9Yj', 'ihgCTQut98', 'fyGCtnjymK', 'keJCmAS7lD', 'iiTTXmHPf8', 'oxnTKTulOc', 'IH7TPtonLl', 'wMMTpXLpIw', 'sqTThn1b5u'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, lUjiwm1i1nlAZ4jwhl.csHigh entropy of concatenated method names: 'd2rItEbeAX38G1otIf6', 'qOlJ7BbwHOPZW6pPTc0', 'P0MCFRMT89', 'HQBC8GkXkZ', 'Bv4C21CNMw', 'jKHpV0bhwJSv4h3QUVK', 'zT2nKQb9ynwi1AY8pf2'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, da3D1Z8UpD8wtXdnkt.csHigh entropy of concatenated method names: 'DAH8Aw3d8W', 'zdI8qSnwn0', 'NiT89FiA8d', 'n2q8ILGRME', 'tgk8GWtRqh', 'Eai8T1HgF3', 'JOj8CDGo3A', 'IyjFPZ3aPX', 'qCCFpTgL3v', 'NjUFh1fbUN'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, SoxLsa3qFKPFlIZhrF.csHigh entropy of concatenated method names: 'quURJVE5Bn', 'zijRfek567', 'N8fRZLA9iH', 'CntR16veVb', 'MnQRDK8h0Q', 'wodRaEgSx5', 'GRpRd6vuFJ', 'DAnRw0Asso', 'ipRRgYDsxN', 'cspRbCoADn'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, igfRPpFCAWqLyFLFLD.csHigh entropy of concatenated method names: 'Fu2TEPFutw', 'tAfT6alrPt', 'mAc7a8AFrj', 'PQb7dokBEX', 'RSM7wsLijP', 'NoX7gyE5hg', 'ix57bIqycB', 'YLj7nrc8KK', 'X6S7SBMLOr', 'Lci7JujGw2'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, hNBpNCyCHgtFJ4MqwJ.csHigh entropy of concatenated method names: 'anotIogMlM', 'lLFt7sCfBf', 'll0tCR5dCe', 'turCocvIJk', 'X0uCzcSjUS', 'ohXtHBOXJ9', 'n7StAB1vLO', 'dnftUP5PS3', 'aBRtq4yhMd', 'hCGt9SNcjv'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, WaPWrpmndIlEOpwLqlY.csHigh entropy of concatenated method names: 'vMx8rOtUYi', 'RUv8vvcVOd', 'sqM8yRmp8s', 'v1O8eMXwmC', 'xDG8EiQeTT', 'v8T8uuYejv', 'BEt861JYIH', 'flX8N8AFP0', 'nkk84iHeNT', 'Tfn8MBh7RB'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, kEJhRxotcfmbENZCX3.csHigh entropy of concatenated method names: 'ONKAtJAmTS', 'kvEAmXE36o', 'J6iAcpuPok', 'ik6AYWkTgL', 'zPlARcjLpN', 'w4tABt0k5m', 'RKal2pdpBLs5hHCRqG', 'sI0uaNjS9PTyW4Zhu9', 'XNDAAMxuMH', 'lQ8Aqc1u8p'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, ILOV13HjDVch5qin0E.csHigh entropy of concatenated method names: 'Ffa7er2GKT', 'By47uQAqgB', 'njE7Nkvv27', 'C0Y74gnG3L', 'fcQ7RiyNOk', 'XAV7BvDpZQ', 'j1r7kDCUII', 'C3Z7FfZiB4', 'hxL78n2v4L', 'VWa72mE1si'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, SIaKdCJeuGaUl0nEW8.csHigh entropy of concatenated method names: 'yyQtr7PW3q', 'ku2tvS3w4N', 'sfftyOlHLS', 'styte8EWDl', 'u4LtEmmXyh', 'HactuG74j1', 'Ih5t6mZKBk', 'XRQtNGZjEf', 'MOot4FC4WX', 'mJCtMHXiJB'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, jNYRDG971dk7SO4v5G.csHigh entropy of concatenated method names: 'MN2GZnViYB', 'drvG1jdb4X', 'YLAGsuZulX', 'RneGOFbLbH', 'lTeGXjwnPk', 'MrvGKgwVss', 'VnqGPGw2jN', 'uyoGp27XEN', 'CKsGhYSlp2', 'vLCGo7Arxv'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, hZ1SYxucGZJNQ4cVDF.csHigh entropy of concatenated method names: 'O14kpOXwpn', 'P2WkoGFyMe', 'm3jFHQtMT3', 'OstFAi6gDi', 'DmuklmClDy', 'RyCkfKLdJ2', 'hJDkx16iL6', 'bQqkZHDvlX', 'eKWk1lMiCc', 'YpHkstj2b8'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, bXR3LJvGI9qF9TPnWA.csHigh entropy of concatenated method names: 'ToString', 'iwSBlwmHgv', 'AWZBDEocpn', 'b4iBaICJRd', 'EWEBdhpE4p', 'Cm2BwfLALj', 'SVxBgSaKcn', 'jxEBbZkdcG', 'N6pBnuqaZt', 'i8bBSPHsfD'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, o0sCkAzLFKOQbKwmSv.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'n2y8Q9WLeo', 'IT48Roipfb', 'quE8BUIPgl', 'VSw8kMZmy1', 'baT8FLgjRA', 'wBY88bR3fW', 'kJQ82cd4i1'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, EIWTUZmEkPOjDF4QdTs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSb2ZAuKjy', 'Rjq218YwB4', 'akb2sLMbN0', 'vWj2OKKGKS', 'Ns92XVVWKw', 'k5K2K5b3yk', 'pBe2PIrL4J'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, vNW6mUaGNdZhkYQKnA.csHigh entropy of concatenated method names: 'j2ky9Hl0p', 'u3keq7c48', 'kZKuEG715', 'ifk6Dtsg7', 'sI44kxXpN', 'PweMD3v04', 'sFGa7cycHFo5Y0i8PW', 'CjCHC7MdCgmgJFjwGb', 'tNrFC1u9F', 'q372hXaTL'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, DRw66CDUGC4CVZZDrD.csHigh entropy of concatenated method names: 'HbeQNZuxUE', 'hvyQ4GAxRM', 'u6CQLOm0Dr', 'rSHQDDvL1C', 'KRpQdbfJJB', 'zIhQwDNXIU', 'xLgQbLiMCt', 'zoSQngrlPP', 'XZqQJwa8hx', 'NyPQlHd19B'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, yPqGQ9pWmptAFYRbaj.csHigh entropy of concatenated method names: 'qaNFI3XjJu', 'NIqFGPERWD', 'W2RF7HDwf8', 'sKrFT1RMbB', 'R6wFCvbpEp', 'OCuFtdGiRh', 'p5UFmPEtMJ', 'HK1F01GwXq', 'z78FcCGJpJ', 'PE9FYyWY8a'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, T6wZ7XGn8o9xWCyt8X.csHigh entropy of concatenated method names: 'X45FLYI2Cc', 'jUgFDitIbD', 'eASFa8HYOV', 'l0TFdndb3X', 'i8eFZkVHTM', 'MbJFwge3nN', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, nje90hqm69TkyRcnXC.csHigh entropy of concatenated method names: 'Dispose', 'THBAhc9Q15', 'ofLUDbVv2K', 'ifwWWnSVAQ', 'Lr9AoYLiEN', 'fAPAzwuv0I', 'ProcessDialogKey', 'pUxUH1xUje', 'nD5UA7RqH2', 'glHUUdqFLi'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, DHOsMMb33pVMGnPfHl.csHigh entropy of concatenated method names: 'tIFqiJtAi9', 'cUIqIAMMbt', 'y5nqG3aSKm', 'xcDq7WaVZe', 'RoOqTk6RF7', 'v1AqCxrJ54', 'sA8qtiPQKM', 'eQoqmgONin', 'M9oq0vpcBl', 'bojqc2itUP'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, F11h69LqNbPf7b3XvB.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TuKUhfyLRE', 'EGbUow4QXW', 'lKGUznWyba', 'BS6qHnbr47', 'lmjqAhYLZK', 'cd2qUVX2Db', 'sosqqpkeLM', 'g7bZxRub5uvmHvCOyfc'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, a7JefkT7Z2TtvZZnlq.csHigh entropy of concatenated method names: 'mSHCiJ0sFc', 'zspCGcQ9Yj', 'ihgCTQut98', 'fyGCtnjymK', 'keJCmAS7lD', 'iiTTXmHPf8', 'oxnTKTulOc', 'IH7TPtonLl', 'wMMTpXLpIw', 'sqTThn1b5u'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, lUjiwm1i1nlAZ4jwhl.csHigh entropy of concatenated method names: 'd2rItEbeAX38G1otIf6', 'qOlJ7BbwHOPZW6pPTc0', 'P0MCFRMT89', 'HQBC8GkXkZ', 'Bv4C21CNMw', 'jKHpV0bhwJSv4h3QUVK', 'zT2nKQb9ynwi1AY8pf2'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, da3D1Z8UpD8wtXdnkt.csHigh entropy of concatenated method names: 'DAH8Aw3d8W', 'zdI8qSnwn0', 'NiT89FiA8d', 'n2q8ILGRME', 'tgk8GWtRqh', 'Eai8T1HgF3', 'JOj8CDGo3A', 'IyjFPZ3aPX', 'qCCFpTgL3v', 'NjUFh1fbUN'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, SoxLsa3qFKPFlIZhrF.csHigh entropy of concatenated method names: 'quURJVE5Bn', 'zijRfek567', 'N8fRZLA9iH', 'CntR16veVb', 'MnQRDK8h0Q', 'wodRaEgSx5', 'GRpRd6vuFJ', 'DAnRw0Asso', 'ipRRgYDsxN', 'cspRbCoADn'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, igfRPpFCAWqLyFLFLD.csHigh entropy of concatenated method names: 'Fu2TEPFutw', 'tAfT6alrPt', 'mAc7a8AFrj', 'PQb7dokBEX', 'RSM7wsLijP', 'NoX7gyE5hg', 'ix57bIqycB', 'YLj7nrc8KK', 'X6S7SBMLOr', 'Lci7JujGw2'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, hNBpNCyCHgtFJ4MqwJ.csHigh entropy of concatenated method names: 'anotIogMlM', 'lLFt7sCfBf', 'll0tCR5dCe', 'turCocvIJk', 'X0uCzcSjUS', 'ohXtHBOXJ9', 'n7StAB1vLO', 'dnftUP5PS3', 'aBRtq4yhMd', 'hCGt9SNcjv'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, WaPWrpmndIlEOpwLqlY.csHigh entropy of concatenated method names: 'vMx8rOtUYi', 'RUv8vvcVOd', 'sqM8yRmp8s', 'v1O8eMXwmC', 'xDG8EiQeTT', 'v8T8uuYejv', 'BEt861JYIH', 'flX8N8AFP0', 'nkk84iHeNT', 'Tfn8MBh7RB'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, kEJhRxotcfmbENZCX3.csHigh entropy of concatenated method names: 'ONKAtJAmTS', 'kvEAmXE36o', 'J6iAcpuPok', 'ik6AYWkTgL', 'zPlARcjLpN', 'w4tABt0k5m', 'RKal2pdpBLs5hHCRqG', 'sI0uaNjS9PTyW4Zhu9', 'XNDAAMxuMH', 'lQ8Aqc1u8p'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, ILOV13HjDVch5qin0E.csHigh entropy of concatenated method names: 'Ffa7er2GKT', 'By47uQAqgB', 'njE7Nkvv27', 'C0Y74gnG3L', 'fcQ7RiyNOk', 'XAV7BvDpZQ', 'j1r7kDCUII', 'C3Z7FfZiB4', 'hxL78n2v4L', 'VWa72mE1si'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, SIaKdCJeuGaUl0nEW8.csHigh entropy of concatenated method names: 'yyQtr7PW3q', 'ku2tvS3w4N', 'sfftyOlHLS', 'styte8EWDl', 'u4LtEmmXyh', 'HactuG74j1', 'Ih5t6mZKBk', 'XRQtNGZjEf', 'MOot4FC4WX', 'mJCtMHXiJB'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, jNYRDG971dk7SO4v5G.csHigh entropy of concatenated method names: 'MN2GZnViYB', 'drvG1jdb4X', 'YLAGsuZulX', 'RneGOFbLbH', 'lTeGXjwnPk', 'MrvGKgwVss', 'VnqGPGw2jN', 'uyoGp27XEN', 'CKsGhYSlp2', 'vLCGo7Arxv'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, hZ1SYxucGZJNQ4cVDF.csHigh entropy of concatenated method names: 'O14kpOXwpn', 'P2WkoGFyMe', 'm3jFHQtMT3', 'OstFAi6gDi', 'DmuklmClDy', 'RyCkfKLdJ2', 'hJDkx16iL6', 'bQqkZHDvlX', 'eKWk1lMiCc', 'YpHkstj2b8'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, bXR3LJvGI9qF9TPnWA.csHigh entropy of concatenated method names: 'ToString', 'iwSBlwmHgv', 'AWZBDEocpn', 'b4iBaICJRd', 'EWEBdhpE4p', 'Cm2BwfLALj', 'SVxBgSaKcn', 'jxEBbZkdcG', 'N6pBnuqaZt', 'i8bBSPHsfD'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, o0sCkAzLFKOQbKwmSv.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'n2y8Q9WLeo', 'IT48Roipfb', 'quE8BUIPgl', 'VSw8kMZmy1', 'baT8FLgjRA', 'wBY88bR3fW', 'kJQ82cd4i1'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, EIWTUZmEkPOjDF4QdTs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSb2ZAuKjy', 'Rjq218YwB4', 'akb2sLMbN0', 'vWj2OKKGKS', 'Ns92XVVWKw', 'k5K2K5b3yk', 'pBe2PIrL4J'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, vNW6mUaGNdZhkYQKnA.csHigh entropy of concatenated method names: 'j2ky9Hl0p', 'u3keq7c48', 'kZKuEG715', 'ifk6Dtsg7', 'sI44kxXpN', 'PweMD3v04', 'sFGa7cycHFo5Y0i8PW', 'CjCHC7MdCgmgJFjwGb', 'tNrFC1u9F', 'q372hXaTL'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, DRw66CDUGC4CVZZDrD.csHigh entropy of concatenated method names: 'HbeQNZuxUE', 'hvyQ4GAxRM', 'u6CQLOm0Dr', 'rSHQDDvL1C', 'KRpQdbfJJB', 'zIhQwDNXIU', 'xLgQbLiMCt', 'zoSQngrlPP', 'XZqQJwa8hx', 'NyPQlHd19B'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, yPqGQ9pWmptAFYRbaj.csHigh entropy of concatenated method names: 'qaNFI3XjJu', 'NIqFGPERWD', 'W2RF7HDwf8', 'sKrFT1RMbB', 'R6wFCvbpEp', 'OCuFtdGiRh', 'p5UFmPEtMJ', 'HK1F01GwXq', 'z78FcCGJpJ', 'PE9FYyWY8a'
          Source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, T6wZ7XGn8o9xWCyt8X.csHigh entropy of concatenated method names: 'X45FLYI2Cc', 'jUgFDitIbD', 'eASFa8HYOV', 'l0TFdndb3X', 'i8eFZkVHTM', 'MbJFwge3nN', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, nje90hqm69TkyRcnXC.csHigh entropy of concatenated method names: 'Dispose', 'THBAhc9Q15', 'ofLUDbVv2K', 'ifwWWnSVAQ', 'Lr9AoYLiEN', 'fAPAzwuv0I', 'ProcessDialogKey', 'pUxUH1xUje', 'nD5UA7RqH2', 'glHUUdqFLi'
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, DHOsMMb33pVMGnPfHl.csHigh entropy of concatenated method names: 'tIFqiJtAi9', 'cUIqIAMMbt', 'y5nqG3aSKm', 'xcDq7WaVZe', 'RoOqTk6RF7', 'v1AqCxrJ54', 'sA8qtiPQKM', 'eQoqmgONin', 'M9oq0vpcBl', 'bojqc2itUP'
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, F11h69LqNbPf7b3XvB.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TuKUhfyLRE', 'EGbUow4QXW', 'lKGUznWyba', 'BS6qHnbr47', 'lmjqAhYLZK', 'cd2qUVX2Db', 'sosqqpkeLM', 'g7bZxRub5uvmHvCOyfc'
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, a7JefkT7Z2TtvZZnlq.csHigh entropy of concatenated method names: 'mSHCiJ0sFc', 'zspCGcQ9Yj', 'ihgCTQut98', 'fyGCtnjymK', 'keJCmAS7lD', 'iiTTXmHPf8', 'oxnTKTulOc', 'IH7TPtonLl', 'wMMTpXLpIw', 'sqTThn1b5u'
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, lUjiwm1i1nlAZ4jwhl.csHigh entropy of concatenated method names: 'd2rItEbeAX38G1otIf6', 'qOlJ7BbwHOPZW6pPTc0', 'P0MCFRMT89', 'HQBC8GkXkZ', 'Bv4C21CNMw', 'jKHpV0bhwJSv4h3QUVK', 'zT2nKQb9ynwi1AY8pf2'
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, da3D1Z8UpD8wtXdnkt.csHigh entropy of concatenated method names: 'DAH8Aw3d8W', 'zdI8qSnwn0', 'NiT89FiA8d', 'n2q8ILGRME', 'tgk8GWtRqh', 'Eai8T1HgF3', 'JOj8CDGo3A', 'IyjFPZ3aPX', 'qCCFpTgL3v', 'NjUFh1fbUN'
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, SoxLsa3qFKPFlIZhrF.csHigh entropy of concatenated method names: 'quURJVE5Bn', 'zijRfek567', 'N8fRZLA9iH', 'CntR16veVb', 'MnQRDK8h0Q', 'wodRaEgSx5', 'GRpRd6vuFJ', 'DAnRw0Asso', 'ipRRgYDsxN', 'cspRbCoADn'
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, igfRPpFCAWqLyFLFLD.csHigh entropy of concatenated method names: 'Fu2TEPFutw', 'tAfT6alrPt', 'mAc7a8AFrj', 'PQb7dokBEX', 'RSM7wsLijP', 'NoX7gyE5hg', 'ix57bIqycB', 'YLj7nrc8KK', 'X6S7SBMLOr', 'Lci7JujGw2'
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, hNBpNCyCHgtFJ4MqwJ.csHigh entropy of concatenated method names: 'anotIogMlM', 'lLFt7sCfBf', 'll0tCR5dCe', 'turCocvIJk', 'X0uCzcSjUS', 'ohXtHBOXJ9', 'n7StAB1vLO', 'dnftUP5PS3', 'aBRtq4yhMd', 'hCGt9SNcjv'
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, WaPWrpmndIlEOpwLqlY.csHigh entropy of concatenated method names: 'vMx8rOtUYi', 'RUv8vvcVOd', 'sqM8yRmp8s', 'v1O8eMXwmC', 'xDG8EiQeTT', 'v8T8uuYejv', 'BEt861JYIH', 'flX8N8AFP0', 'nkk84iHeNT', 'Tfn8MBh7RB'
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, kEJhRxotcfmbENZCX3.csHigh entropy of concatenated method names: 'ONKAtJAmTS', 'kvEAmXE36o', 'J6iAcpuPok', 'ik6AYWkTgL', 'zPlARcjLpN', 'w4tABt0k5m', 'RKal2pdpBLs5hHCRqG', 'sI0uaNjS9PTyW4Zhu9', 'XNDAAMxuMH', 'lQ8Aqc1u8p'
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, ILOV13HjDVch5qin0E.csHigh entropy of concatenated method names: 'Ffa7er2GKT', 'By47uQAqgB', 'njE7Nkvv27', 'C0Y74gnG3L', 'fcQ7RiyNOk', 'XAV7BvDpZQ', 'j1r7kDCUII', 'C3Z7FfZiB4', 'hxL78n2v4L', 'VWa72mE1si'
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, SIaKdCJeuGaUl0nEW8.csHigh entropy of concatenated method names: 'yyQtr7PW3q', 'ku2tvS3w4N', 'sfftyOlHLS', 'styte8EWDl', 'u4LtEmmXyh', 'HactuG74j1', 'Ih5t6mZKBk', 'XRQtNGZjEf', 'MOot4FC4WX', 'mJCtMHXiJB'
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, jNYRDG971dk7SO4v5G.csHigh entropy of concatenated method names: 'MN2GZnViYB', 'drvG1jdb4X', 'YLAGsuZulX', 'RneGOFbLbH', 'lTeGXjwnPk', 'MrvGKgwVss', 'VnqGPGw2jN', 'uyoGp27XEN', 'CKsGhYSlp2', 'vLCGo7Arxv'
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, hZ1SYxucGZJNQ4cVDF.csHigh entropy of concatenated method names: 'O14kpOXwpn', 'P2WkoGFyMe', 'm3jFHQtMT3', 'OstFAi6gDi', 'DmuklmClDy', 'RyCkfKLdJ2', 'hJDkx16iL6', 'bQqkZHDvlX', 'eKWk1lMiCc', 'YpHkstj2b8'
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, bXR3LJvGI9qF9TPnWA.csHigh entropy of concatenated method names: 'ToString', 'iwSBlwmHgv', 'AWZBDEocpn', 'b4iBaICJRd', 'EWEBdhpE4p', 'Cm2BwfLALj', 'SVxBgSaKcn', 'jxEBbZkdcG', 'N6pBnuqaZt', 'i8bBSPHsfD'
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, o0sCkAzLFKOQbKwmSv.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'n2y8Q9WLeo', 'IT48Roipfb', 'quE8BUIPgl', 'VSw8kMZmy1', 'baT8FLgjRA', 'wBY88bR3fW', 'kJQ82cd4i1'
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, EIWTUZmEkPOjDF4QdTs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSb2ZAuKjy', 'Rjq218YwB4', 'akb2sLMbN0', 'vWj2OKKGKS', 'Ns92XVVWKw', 'k5K2K5b3yk', 'pBe2PIrL4J'
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, vNW6mUaGNdZhkYQKnA.csHigh entropy of concatenated method names: 'j2ky9Hl0p', 'u3keq7c48', 'kZKuEG715', 'ifk6Dtsg7', 'sI44kxXpN', 'PweMD3v04', 'sFGa7cycHFo5Y0i8PW', 'CjCHC7MdCgmgJFjwGb', 'tNrFC1u9F', 'q372hXaTL'
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, DRw66CDUGC4CVZZDrD.csHigh entropy of concatenated method names: 'HbeQNZuxUE', 'hvyQ4GAxRM', 'u6CQLOm0Dr', 'rSHQDDvL1C', 'KRpQdbfJJB', 'zIhQwDNXIU', 'xLgQbLiMCt', 'zoSQngrlPP', 'XZqQJwa8hx', 'NyPQlHd19B'
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, yPqGQ9pWmptAFYRbaj.csHigh entropy of concatenated method names: 'qaNFI3XjJu', 'NIqFGPERWD', 'W2RF7HDwf8', 'sKrFT1RMbB', 'R6wFCvbpEp', 'OCuFtdGiRh', 'p5UFmPEtMJ', 'HK1F01GwXq', 'z78FcCGJpJ', 'PE9FYyWY8a'
          Source: 0.2.z8eokahasflcrscooplasb.exe.7ef0000.3.raw.unpack, T6wZ7XGn8o9xWCyt8X.csHigh entropy of concatenated method names: 'X45FLYI2Cc', 'jUgFDitIbD', 'eASFa8HYOV', 'l0TFdndb3X', 'i8eFZkVHTM', 'MbJFwge3nN', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, nje90hqm69TkyRcnXC.csHigh entropy of concatenated method names: 'Dispose', 'THBAhc9Q15', 'ofLUDbVv2K', 'ifwWWnSVAQ', 'Lr9AoYLiEN', 'fAPAzwuv0I', 'ProcessDialogKey', 'pUxUH1xUje', 'nD5UA7RqH2', 'glHUUdqFLi'
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, DHOsMMb33pVMGnPfHl.csHigh entropy of concatenated method names: 'tIFqiJtAi9', 'cUIqIAMMbt', 'y5nqG3aSKm', 'xcDq7WaVZe', 'RoOqTk6RF7', 'v1AqCxrJ54', 'sA8qtiPQKM', 'eQoqmgONin', 'M9oq0vpcBl', 'bojqc2itUP'
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, F11h69LqNbPf7b3XvB.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TuKUhfyLRE', 'EGbUow4QXW', 'lKGUznWyba', 'BS6qHnbr47', 'lmjqAhYLZK', 'cd2qUVX2Db', 'sosqqpkeLM', 'g7bZxRub5uvmHvCOyfc'
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, a7JefkT7Z2TtvZZnlq.csHigh entropy of concatenated method names: 'mSHCiJ0sFc', 'zspCGcQ9Yj', 'ihgCTQut98', 'fyGCtnjymK', 'keJCmAS7lD', 'iiTTXmHPf8', 'oxnTKTulOc', 'IH7TPtonLl', 'wMMTpXLpIw', 'sqTThn1b5u'
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, lUjiwm1i1nlAZ4jwhl.csHigh entropy of concatenated method names: 'd2rItEbeAX38G1otIf6', 'qOlJ7BbwHOPZW6pPTc0', 'P0MCFRMT89', 'HQBC8GkXkZ', 'Bv4C21CNMw', 'jKHpV0bhwJSv4h3QUVK', 'zT2nKQb9ynwi1AY8pf2'
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, da3D1Z8UpD8wtXdnkt.csHigh entropy of concatenated method names: 'DAH8Aw3d8W', 'zdI8qSnwn0', 'NiT89FiA8d', 'n2q8ILGRME', 'tgk8GWtRqh', 'Eai8T1HgF3', 'JOj8CDGo3A', 'IyjFPZ3aPX', 'qCCFpTgL3v', 'NjUFh1fbUN'
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, SoxLsa3qFKPFlIZhrF.csHigh entropy of concatenated method names: 'quURJVE5Bn', 'zijRfek567', 'N8fRZLA9iH', 'CntR16veVb', 'MnQRDK8h0Q', 'wodRaEgSx5', 'GRpRd6vuFJ', 'DAnRw0Asso', 'ipRRgYDsxN', 'cspRbCoADn'
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, igfRPpFCAWqLyFLFLD.csHigh entropy of concatenated method names: 'Fu2TEPFutw', 'tAfT6alrPt', 'mAc7a8AFrj', 'PQb7dokBEX', 'RSM7wsLijP', 'NoX7gyE5hg', 'ix57bIqycB', 'YLj7nrc8KK', 'X6S7SBMLOr', 'Lci7JujGw2'
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, hNBpNCyCHgtFJ4MqwJ.csHigh entropy of concatenated method names: 'anotIogMlM', 'lLFt7sCfBf', 'll0tCR5dCe', 'turCocvIJk', 'X0uCzcSjUS', 'ohXtHBOXJ9', 'n7StAB1vLO', 'dnftUP5PS3', 'aBRtq4yhMd', 'hCGt9SNcjv'
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, WaPWrpmndIlEOpwLqlY.csHigh entropy of concatenated method names: 'vMx8rOtUYi', 'RUv8vvcVOd', 'sqM8yRmp8s', 'v1O8eMXwmC', 'xDG8EiQeTT', 'v8T8uuYejv', 'BEt861JYIH', 'flX8N8AFP0', 'nkk84iHeNT', 'Tfn8MBh7RB'
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, kEJhRxotcfmbENZCX3.csHigh entropy of concatenated method names: 'ONKAtJAmTS', 'kvEAmXE36o', 'J6iAcpuPok', 'ik6AYWkTgL', 'zPlARcjLpN', 'w4tABt0k5m', 'RKal2pdpBLs5hHCRqG', 'sI0uaNjS9PTyW4Zhu9', 'XNDAAMxuMH', 'lQ8Aqc1u8p'
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, ILOV13HjDVch5qin0E.csHigh entropy of concatenated method names: 'Ffa7er2GKT', 'By47uQAqgB', 'njE7Nkvv27', 'C0Y74gnG3L', 'fcQ7RiyNOk', 'XAV7BvDpZQ', 'j1r7kDCUII', 'C3Z7FfZiB4', 'hxL78n2v4L', 'VWa72mE1si'
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, SIaKdCJeuGaUl0nEW8.csHigh entropy of concatenated method names: 'yyQtr7PW3q', 'ku2tvS3w4N', 'sfftyOlHLS', 'styte8EWDl', 'u4LtEmmXyh', 'HactuG74j1', 'Ih5t6mZKBk', 'XRQtNGZjEf', 'MOot4FC4WX', 'mJCtMHXiJB'
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, jNYRDG971dk7SO4v5G.csHigh entropy of concatenated method names: 'MN2GZnViYB', 'drvG1jdb4X', 'YLAGsuZulX', 'RneGOFbLbH', 'lTeGXjwnPk', 'MrvGKgwVss', 'VnqGPGw2jN', 'uyoGp27XEN', 'CKsGhYSlp2', 'vLCGo7Arxv'
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, hZ1SYxucGZJNQ4cVDF.csHigh entropy of concatenated method names: 'O14kpOXwpn', 'P2WkoGFyMe', 'm3jFHQtMT3', 'OstFAi6gDi', 'DmuklmClDy', 'RyCkfKLdJ2', 'hJDkx16iL6', 'bQqkZHDvlX', 'eKWk1lMiCc', 'YpHkstj2b8'
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, bXR3LJvGI9qF9TPnWA.csHigh entropy of concatenated method names: 'ToString', 'iwSBlwmHgv', 'AWZBDEocpn', 'b4iBaICJRd', 'EWEBdhpE4p', 'Cm2BwfLALj', 'SVxBgSaKcn', 'jxEBbZkdcG', 'N6pBnuqaZt', 'i8bBSPHsfD'
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, o0sCkAzLFKOQbKwmSv.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'n2y8Q9WLeo', 'IT48Roipfb', 'quE8BUIPgl', 'VSw8kMZmy1', 'baT8FLgjRA', 'wBY88bR3fW', 'kJQ82cd4i1'
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, EIWTUZmEkPOjDF4QdTs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSb2ZAuKjy', 'Rjq218YwB4', 'akb2sLMbN0', 'vWj2OKKGKS', 'Ns92XVVWKw', 'k5K2K5b3yk', 'pBe2PIrL4J'
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, vNW6mUaGNdZhkYQKnA.csHigh entropy of concatenated method names: 'j2ky9Hl0p', 'u3keq7c48', 'kZKuEG715', 'ifk6Dtsg7', 'sI44kxXpN', 'PweMD3v04', 'sFGa7cycHFo5Y0i8PW', 'CjCHC7MdCgmgJFjwGb', 'tNrFC1u9F', 'q372hXaTL'
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, DRw66CDUGC4CVZZDrD.csHigh entropy of concatenated method names: 'HbeQNZuxUE', 'hvyQ4GAxRM', 'u6CQLOm0Dr', 'rSHQDDvL1C', 'KRpQdbfJJB', 'zIhQwDNXIU', 'xLgQbLiMCt', 'zoSQngrlPP', 'XZqQJwa8hx', 'NyPQlHd19B'
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, yPqGQ9pWmptAFYRbaj.csHigh entropy of concatenated method names: 'qaNFI3XjJu', 'NIqFGPERWD', 'W2RF7HDwf8', 'sKrFT1RMbB', 'R6wFCvbpEp', 'OCuFtdGiRh', 'p5UFmPEtMJ', 'HK1F01GwXq', 'z78FcCGJpJ', 'PE9FYyWY8a'
          Source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, T6wZ7XGn8o9xWCyt8X.csHigh entropy of concatenated method names: 'X45FLYI2Cc', 'jUgFDitIbD', 'eASFa8HYOV', 'l0TFdndb3X', 'i8eFZkVHTM', 'MbJFwge3nN', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, nje90hqm69TkyRcnXC.csHigh entropy of concatenated method names: 'Dispose', 'THBAhc9Q15', 'ofLUDbVv2K', 'ifwWWnSVAQ', 'Lr9AoYLiEN', 'fAPAzwuv0I', 'ProcessDialogKey', 'pUxUH1xUje', 'nD5UA7RqH2', 'glHUUdqFLi'
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, DHOsMMb33pVMGnPfHl.csHigh entropy of concatenated method names: 'tIFqiJtAi9', 'cUIqIAMMbt', 'y5nqG3aSKm', 'xcDq7WaVZe', 'RoOqTk6RF7', 'v1AqCxrJ54', 'sA8qtiPQKM', 'eQoqmgONin', 'M9oq0vpcBl', 'bojqc2itUP'
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, F11h69LqNbPf7b3XvB.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TuKUhfyLRE', 'EGbUow4QXW', 'lKGUznWyba', 'BS6qHnbr47', 'lmjqAhYLZK', 'cd2qUVX2Db', 'sosqqpkeLM', 'g7bZxRub5uvmHvCOyfc'
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, a7JefkT7Z2TtvZZnlq.csHigh entropy of concatenated method names: 'mSHCiJ0sFc', 'zspCGcQ9Yj', 'ihgCTQut98', 'fyGCtnjymK', 'keJCmAS7lD', 'iiTTXmHPf8', 'oxnTKTulOc', 'IH7TPtonLl', 'wMMTpXLpIw', 'sqTThn1b5u'
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, lUjiwm1i1nlAZ4jwhl.csHigh entropy of concatenated method names: 'd2rItEbeAX38G1otIf6', 'qOlJ7BbwHOPZW6pPTc0', 'P0MCFRMT89', 'HQBC8GkXkZ', 'Bv4C21CNMw', 'jKHpV0bhwJSv4h3QUVK', 'zT2nKQb9ynwi1AY8pf2'
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, da3D1Z8UpD8wtXdnkt.csHigh entropy of concatenated method names: 'DAH8Aw3d8W', 'zdI8qSnwn0', 'NiT89FiA8d', 'n2q8ILGRME', 'tgk8GWtRqh', 'Eai8T1HgF3', 'JOj8CDGo3A', 'IyjFPZ3aPX', 'qCCFpTgL3v', 'NjUFh1fbUN'
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, SoxLsa3qFKPFlIZhrF.csHigh entropy of concatenated method names: 'quURJVE5Bn', 'zijRfek567', 'N8fRZLA9iH', 'CntR16veVb', 'MnQRDK8h0Q', 'wodRaEgSx5', 'GRpRd6vuFJ', 'DAnRw0Asso', 'ipRRgYDsxN', 'cspRbCoADn'
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, igfRPpFCAWqLyFLFLD.csHigh entropy of concatenated method names: 'Fu2TEPFutw', 'tAfT6alrPt', 'mAc7a8AFrj', 'PQb7dokBEX', 'RSM7wsLijP', 'NoX7gyE5hg', 'ix57bIqycB', 'YLj7nrc8KK', 'X6S7SBMLOr', 'Lci7JujGw2'
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, hNBpNCyCHgtFJ4MqwJ.csHigh entropy of concatenated method names: 'anotIogMlM', 'lLFt7sCfBf', 'll0tCR5dCe', 'turCocvIJk', 'X0uCzcSjUS', 'ohXtHBOXJ9', 'n7StAB1vLO', 'dnftUP5PS3', 'aBRtq4yhMd', 'hCGt9SNcjv'
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, WaPWrpmndIlEOpwLqlY.csHigh entropy of concatenated method names: 'vMx8rOtUYi', 'RUv8vvcVOd', 'sqM8yRmp8s', 'v1O8eMXwmC', 'xDG8EiQeTT', 'v8T8uuYejv', 'BEt861JYIH', 'flX8N8AFP0', 'nkk84iHeNT', 'Tfn8MBh7RB'
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, kEJhRxotcfmbENZCX3.csHigh entropy of concatenated method names: 'ONKAtJAmTS', 'kvEAmXE36o', 'J6iAcpuPok', 'ik6AYWkTgL', 'zPlARcjLpN', 'w4tABt0k5m', 'RKal2pdpBLs5hHCRqG', 'sI0uaNjS9PTyW4Zhu9', 'XNDAAMxuMH', 'lQ8Aqc1u8p'
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, ILOV13HjDVch5qin0E.csHigh entropy of concatenated method names: 'Ffa7er2GKT', 'By47uQAqgB', 'njE7Nkvv27', 'C0Y74gnG3L', 'fcQ7RiyNOk', 'XAV7BvDpZQ', 'j1r7kDCUII', 'C3Z7FfZiB4', 'hxL78n2v4L', 'VWa72mE1si'
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, SIaKdCJeuGaUl0nEW8.csHigh entropy of concatenated method names: 'yyQtr7PW3q', 'ku2tvS3w4N', 'sfftyOlHLS', 'styte8EWDl', 'u4LtEmmXyh', 'HactuG74j1', 'Ih5t6mZKBk', 'XRQtNGZjEf', 'MOot4FC4WX', 'mJCtMHXiJB'
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, jNYRDG971dk7SO4v5G.csHigh entropy of concatenated method names: 'MN2GZnViYB', 'drvG1jdb4X', 'YLAGsuZulX', 'RneGOFbLbH', 'lTeGXjwnPk', 'MrvGKgwVss', 'VnqGPGw2jN', 'uyoGp27XEN', 'CKsGhYSlp2', 'vLCGo7Arxv'
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, hZ1SYxucGZJNQ4cVDF.csHigh entropy of concatenated method names: 'O14kpOXwpn', 'P2WkoGFyMe', 'm3jFHQtMT3', 'OstFAi6gDi', 'DmuklmClDy', 'RyCkfKLdJ2', 'hJDkx16iL6', 'bQqkZHDvlX', 'eKWk1lMiCc', 'YpHkstj2b8'
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, bXR3LJvGI9qF9TPnWA.csHigh entropy of concatenated method names: 'ToString', 'iwSBlwmHgv', 'AWZBDEocpn', 'b4iBaICJRd', 'EWEBdhpE4p', 'Cm2BwfLALj', 'SVxBgSaKcn', 'jxEBbZkdcG', 'N6pBnuqaZt', 'i8bBSPHsfD'
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, o0sCkAzLFKOQbKwmSv.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'n2y8Q9WLeo', 'IT48Roipfb', 'quE8BUIPgl', 'VSw8kMZmy1', 'baT8FLgjRA', 'wBY88bR3fW', 'kJQ82cd4i1'
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, EIWTUZmEkPOjDF4QdTs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSb2ZAuKjy', 'Rjq218YwB4', 'akb2sLMbN0', 'vWj2OKKGKS', 'Ns92XVVWKw', 'k5K2K5b3yk', 'pBe2PIrL4J'
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, vNW6mUaGNdZhkYQKnA.csHigh entropy of concatenated method names: 'j2ky9Hl0p', 'u3keq7c48', 'kZKuEG715', 'ifk6Dtsg7', 'sI44kxXpN', 'PweMD3v04', 'sFGa7cycHFo5Y0i8PW', 'CjCHC7MdCgmgJFjwGb', 'tNrFC1u9F', 'q372hXaTL'
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, DRw66CDUGC4CVZZDrD.csHigh entropy of concatenated method names: 'HbeQNZuxUE', 'hvyQ4GAxRM', 'u6CQLOm0Dr', 'rSHQDDvL1C', 'KRpQdbfJJB', 'zIhQwDNXIU', 'xLgQbLiMCt', 'zoSQngrlPP', 'XZqQJwa8hx', 'NyPQlHd19B'
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, yPqGQ9pWmptAFYRbaj.csHigh entropy of concatenated method names: 'qaNFI3XjJu', 'NIqFGPERWD', 'W2RF7HDwf8', 'sKrFT1RMbB', 'R6wFCvbpEp', 'OCuFtdGiRh', 'p5UFmPEtMJ', 'HK1F01GwXq', 'z78FcCGJpJ', 'PE9FYyWY8a'
          Source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, T6wZ7XGn8o9xWCyt8X.csHigh entropy of concatenated method names: 'X45FLYI2Cc', 'jUgFDitIbD', 'eASFa8HYOV', 'l0TFdndb3X', 'i8eFZkVHTM', 'MbJFwge3nN', 'Next', 'Next', 'Next', 'NextBytes'
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeFile created: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeJump to dropped file

          Boot Survival

          barindex
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D16.tmp"

          Hooking and other Techniques for Hiding and Protection

          barindex
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Source: Yara matchFile source: Process Memory Space: z8eokahasflcrscooplasb.exe PID: 6556, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: hmlPTospxjGJ.exe PID: 4228, type: MEMORYSTR
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
          Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
          Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
          Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeRDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeRDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: A69904 second address: A6990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: A69B6E second address: A69B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 4F9904 second address: 4F990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 4F9B6E second address: 4F9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeMemory allocated: 3070000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeMemory allocated: 3300000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeMemory allocated: 3100000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeMemory allocated: 95F0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeMemory allocated: A5F0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeMemory allocated: A800000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeMemory allocated: B800000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeMemory allocated: BF90000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeMemory allocated: CF90000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeMemory allocated: DF90000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeMemory allocated: 1480000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeMemory allocated: 2F20000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeMemory allocated: 4F20000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeMemory allocated: 8BE0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeMemory allocated: 7690000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeMemory allocated: 9BE0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeMemory allocated: ABE0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeMemory allocated: B540000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeMemory allocated: C540000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeMemory allocated: D550000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_00409AA0 rdtsc 6_2_00409AA0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6723Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2950Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 419Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 9525Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 867Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 886Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 9727
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeAPI coverage: 1.7 %
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe TID: 6632Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4464Thread sleep time: -6456360425798339s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 7076Thread sleep count: 419 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 7076Thread sleep time: -838000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 7076Thread sleep count: 9525 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 7076Thread sleep time: -19050000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe TID: 2188Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exe TID: 6660Thread sleep count: 242 > 30
          Source: C:\Windows\SysWOW64\explorer.exe TID: 6660Thread sleep time: -484000s >= -30000s
          Source: C:\Windows\SysWOW64\explorer.exe TID: 6660Thread sleep count: 9727 > 30
          Source: C:\Windows\SysWOW64\explorer.exe TID: 6660Thread sleep time: -19454000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULLJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\NULLJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
          Source: explorer.exe, 00000007.00000000.1726180641.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000007.00000002.4147605314.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
          Source: explorer.exe, 00000007.00000000.1721047830.00000000078A0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
          Source: explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
          Source: explorer.exe, 00000007.00000000.1726180641.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000007.00000000.1717337994.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
          Source: explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000002.4148429051.000000000997A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
          Source: explorer.exe, 00000007.00000002.4147605314.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
          Source: z8eokahasflcrscooplasb.exe, 00000000.00000002.1735007844.000000000151B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 00000007.00000003.3112970647.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4147605314.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3112970647.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4147605314.00000000097D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000007.00000002.4148429051.000000000997A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000007.00000002.4144709532.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
          Source: explorer.exe, 00000007.00000002.4147527518.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
          Source: explorer.exe, 00000007.00000000.1717337994.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000007.00000000.1717337994.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\mstsc.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_00409AA0 rdtsc 6_2_00409AA0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0040ACE0 LdrLoadDll,6_2_0040ACE0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01350124 mov eax, dword ptr fs:[00000030h]6_2_01350124
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CA118 mov ecx, dword ptr fs:[00000030h]6_2_013CA118
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CA118 mov eax, dword ptr fs:[00000030h]6_2_013CA118
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CA118 mov eax, dword ptr fs:[00000030h]6_2_013CA118
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CA118 mov eax, dword ptr fs:[00000030h]6_2_013CA118
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013E0115 mov eax, dword ptr fs:[00000030h]6_2_013E0115
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CE10E mov eax, dword ptr fs:[00000030h]6_2_013CE10E
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CE10E mov ecx, dword ptr fs:[00000030h]6_2_013CE10E
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CE10E mov eax, dword ptr fs:[00000030h]6_2_013CE10E
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CE10E mov eax, dword ptr fs:[00000030h]6_2_013CE10E
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CE10E mov ecx, dword ptr fs:[00000030h]6_2_013CE10E
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CE10E mov eax, dword ptr fs:[00000030h]6_2_013CE10E
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CE10E mov eax, dword ptr fs:[00000030h]6_2_013CE10E
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CE10E mov ecx, dword ptr fs:[00000030h]6_2_013CE10E
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CE10E mov eax, dword ptr fs:[00000030h]6_2_013CE10E
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CE10E mov ecx, dword ptr fs:[00000030h]6_2_013CE10E
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F4164 mov eax, dword ptr fs:[00000030h]6_2_013F4164
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F4164 mov eax, dword ptr fs:[00000030h]6_2_013F4164
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013B8158 mov eax, dword ptr fs:[00000030h]6_2_013B8158
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01326154 mov eax, dword ptr fs:[00000030h]6_2_01326154
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01326154 mov eax, dword ptr fs:[00000030h]6_2_01326154
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0131C156 mov eax, dword ptr fs:[00000030h]6_2_0131C156
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013B4144 mov eax, dword ptr fs:[00000030h]6_2_013B4144
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013B4144 mov eax, dword ptr fs:[00000030h]6_2_013B4144
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013B4144 mov ecx, dword ptr fs:[00000030h]6_2_013B4144
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013B4144 mov eax, dword ptr fs:[00000030h]6_2_013B4144
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013B4144 mov eax, dword ptr fs:[00000030h]6_2_013B4144
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A019F mov eax, dword ptr fs:[00000030h]6_2_013A019F
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A019F mov eax, dword ptr fs:[00000030h]6_2_013A019F
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A019F mov eax, dword ptr fs:[00000030h]6_2_013A019F
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A019F mov eax, dword ptr fs:[00000030h]6_2_013A019F
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0131A197 mov eax, dword ptr fs:[00000030h]6_2_0131A197
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0131A197 mov eax, dword ptr fs:[00000030h]6_2_0131A197
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0131A197 mov eax, dword ptr fs:[00000030h]6_2_0131A197
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01360185 mov eax, dword ptr fs:[00000030h]6_2_01360185
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013DC188 mov eax, dword ptr fs:[00000030h]6_2_013DC188
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013DC188 mov eax, dword ptr fs:[00000030h]6_2_013DC188
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013C4180 mov eax, dword ptr fs:[00000030h]6_2_013C4180
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013C4180 mov eax, dword ptr fs:[00000030h]6_2_013C4180
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013501F8 mov eax, dword ptr fs:[00000030h]6_2_013501F8
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F61E5 mov eax, dword ptr fs:[00000030h]6_2_013F61E5
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139E1D0 mov eax, dword ptr fs:[00000030h]6_2_0139E1D0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139E1D0 mov eax, dword ptr fs:[00000030h]6_2_0139E1D0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139E1D0 mov ecx, dword ptr fs:[00000030h]6_2_0139E1D0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139E1D0 mov eax, dword ptr fs:[00000030h]6_2_0139E1D0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139E1D0 mov eax, dword ptr fs:[00000030h]6_2_0139E1D0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013E61C3 mov eax, dword ptr fs:[00000030h]6_2_013E61C3
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013E61C3 mov eax, dword ptr fs:[00000030h]6_2_013E61C3
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013B6030 mov eax, dword ptr fs:[00000030h]6_2_013B6030
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0131A020 mov eax, dword ptr fs:[00000030h]6_2_0131A020
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0131C020 mov eax, dword ptr fs:[00000030h]6_2_0131C020
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0133E016 mov eax, dword ptr fs:[00000030h]6_2_0133E016
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0133E016 mov eax, dword ptr fs:[00000030h]6_2_0133E016
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0133E016 mov eax, dword ptr fs:[00000030h]6_2_0133E016
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0133E016 mov eax, dword ptr fs:[00000030h]6_2_0133E016
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A4000 mov ecx, dword ptr fs:[00000030h]6_2_013A4000
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013C2000 mov eax, dword ptr fs:[00000030h]6_2_013C2000
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013C2000 mov eax, dword ptr fs:[00000030h]6_2_013C2000
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013C2000 mov eax, dword ptr fs:[00000030h]6_2_013C2000
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013C2000 mov eax, dword ptr fs:[00000030h]6_2_013C2000
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013C2000 mov eax, dword ptr fs:[00000030h]6_2_013C2000
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013C2000 mov eax, dword ptr fs:[00000030h]6_2_013C2000
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013C2000 mov eax, dword ptr fs:[00000030h]6_2_013C2000
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013C2000 mov eax, dword ptr fs:[00000030h]6_2_013C2000
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134C073 mov eax, dword ptr fs:[00000030h]6_2_0134C073
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01322050 mov eax, dword ptr fs:[00000030h]6_2_01322050
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A6050 mov eax, dword ptr fs:[00000030h]6_2_013A6050
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013E60B8 mov eax, dword ptr fs:[00000030h]6_2_013E60B8
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013E60B8 mov ecx, dword ptr fs:[00000030h]6_2_013E60B8
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013180A0 mov eax, dword ptr fs:[00000030h]6_2_013180A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013B80A8 mov eax, dword ptr fs:[00000030h]6_2_013B80A8
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132208A mov eax, dword ptr fs:[00000030h]6_2_0132208A
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0131C0F0 mov eax, dword ptr fs:[00000030h]6_2_0131C0F0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013620F0 mov ecx, dword ptr fs:[00000030h]6_2_013620F0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0131A0E3 mov ecx, dword ptr fs:[00000030h]6_2_0131A0E3
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A60E0 mov eax, dword ptr fs:[00000030h]6_2_013A60E0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013280E9 mov eax, dword ptr fs:[00000030h]6_2_013280E9
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A20DE mov eax, dword ptr fs:[00000030h]6_2_013A20DE
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F8324 mov eax, dword ptr fs:[00000030h]6_2_013F8324
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F8324 mov ecx, dword ptr fs:[00000030h]6_2_013F8324
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F8324 mov eax, dword ptr fs:[00000030h]6_2_013F8324
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F8324 mov eax, dword ptr fs:[00000030h]6_2_013F8324
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0131C310 mov ecx, dword ptr fs:[00000030h]6_2_0131C310
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01340310 mov ecx, dword ptr fs:[00000030h]6_2_01340310
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135A30B mov eax, dword ptr fs:[00000030h]6_2_0135A30B
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135A30B mov eax, dword ptr fs:[00000030h]6_2_0135A30B
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135A30B mov eax, dword ptr fs:[00000030h]6_2_0135A30B
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013C437C mov eax, dword ptr fs:[00000030h]6_2_013C437C
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A035C mov eax, dword ptr fs:[00000030h]6_2_013A035C
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A035C mov eax, dword ptr fs:[00000030h]6_2_013A035C
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A035C mov eax, dword ptr fs:[00000030h]6_2_013A035C
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A035C mov ecx, dword ptr fs:[00000030h]6_2_013A035C
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A035C mov eax, dword ptr fs:[00000030h]6_2_013A035C
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A035C mov eax, dword ptr fs:[00000030h]6_2_013A035C
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013EA352 mov eax, dword ptr fs:[00000030h]6_2_013EA352
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013C8350 mov ecx, dword ptr fs:[00000030h]6_2_013C8350
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F634F mov eax, dword ptr fs:[00000030h]6_2_013F634F
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]6_2_013A2349
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]6_2_013A2349
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]6_2_013A2349
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]6_2_013A2349
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]6_2_013A2349
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]6_2_013A2349
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]6_2_013A2349
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]6_2_013A2349
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]6_2_013A2349
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]6_2_013A2349
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]6_2_013A2349
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]6_2_013A2349
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]6_2_013A2349
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]6_2_013A2349
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A2349 mov eax, dword ptr fs:[00000030h]6_2_013A2349
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01318397 mov eax, dword ptr fs:[00000030h]6_2_01318397
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01318397 mov eax, dword ptr fs:[00000030h]6_2_01318397
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01318397 mov eax, dword ptr fs:[00000030h]6_2_01318397
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0131E388 mov eax, dword ptr fs:[00000030h]6_2_0131E388
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0131E388 mov eax, dword ptr fs:[00000030h]6_2_0131E388
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0131E388 mov eax, dword ptr fs:[00000030h]6_2_0131E388
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134438F mov eax, dword ptr fs:[00000030h]6_2_0134438F
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134438F mov eax, dword ptr fs:[00000030h]6_2_0134438F
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0133E3F0 mov eax, dword ptr fs:[00000030h]6_2_0133E3F0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0133E3F0 mov eax, dword ptr fs:[00000030h]6_2_0133E3F0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0133E3F0 mov eax, dword ptr fs:[00000030h]6_2_0133E3F0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013563FF mov eax, dword ptr fs:[00000030h]6_2_013563FF
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013303E9 mov eax, dword ptr fs:[00000030h]6_2_013303E9
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013303E9 mov eax, dword ptr fs:[00000030h]6_2_013303E9
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013303E9 mov eax, dword ptr fs:[00000030h]6_2_013303E9
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013303E9 mov eax, dword ptr fs:[00000030h]6_2_013303E9
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013303E9 mov eax, dword ptr fs:[00000030h]6_2_013303E9
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013303E9 mov eax, dword ptr fs:[00000030h]6_2_013303E9
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013303E9 mov eax, dword ptr fs:[00000030h]6_2_013303E9
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013303E9 mov eax, dword ptr fs:[00000030h]6_2_013303E9
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CE3DB mov eax, dword ptr fs:[00000030h]6_2_013CE3DB
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CE3DB mov eax, dword ptr fs:[00000030h]6_2_013CE3DB
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CE3DB mov ecx, dword ptr fs:[00000030h]6_2_013CE3DB
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CE3DB mov eax, dword ptr fs:[00000030h]6_2_013CE3DB
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013C43D4 mov eax, dword ptr fs:[00000030h]6_2_013C43D4
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013C43D4 mov eax, dword ptr fs:[00000030h]6_2_013C43D4
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013DC3CD mov eax, dword ptr fs:[00000030h]6_2_013DC3CD
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132A3C0 mov eax, dword ptr fs:[00000030h]6_2_0132A3C0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132A3C0 mov eax, dword ptr fs:[00000030h]6_2_0132A3C0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132A3C0 mov eax, dword ptr fs:[00000030h]6_2_0132A3C0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132A3C0 mov eax, dword ptr fs:[00000030h]6_2_0132A3C0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132A3C0 mov eax, dword ptr fs:[00000030h]6_2_0132A3C0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132A3C0 mov eax, dword ptr fs:[00000030h]6_2_0132A3C0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013283C0 mov eax, dword ptr fs:[00000030h]6_2_013283C0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013283C0 mov eax, dword ptr fs:[00000030h]6_2_013283C0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013283C0 mov eax, dword ptr fs:[00000030h]6_2_013283C0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013283C0 mov eax, dword ptr fs:[00000030h]6_2_013283C0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A63C0 mov eax, dword ptr fs:[00000030h]6_2_013A63C0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0131823B mov eax, dword ptr fs:[00000030h]6_2_0131823B
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]6_2_013D0274
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]6_2_013D0274
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]6_2_013D0274
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]6_2_013D0274
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]6_2_013D0274
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]6_2_013D0274
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]6_2_013D0274
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]6_2_013D0274
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]6_2_013D0274
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]6_2_013D0274
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]6_2_013D0274
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013D0274 mov eax, dword ptr fs:[00000030h]6_2_013D0274
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01324260 mov eax, dword ptr fs:[00000030h]6_2_01324260
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01324260 mov eax, dword ptr fs:[00000030h]6_2_01324260
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01324260 mov eax, dword ptr fs:[00000030h]6_2_01324260
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0131826B mov eax, dword ptr fs:[00000030h]6_2_0131826B
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0131A250 mov eax, dword ptr fs:[00000030h]6_2_0131A250
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F625D mov eax, dword ptr fs:[00000030h]6_2_013F625D
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01326259 mov eax, dword ptr fs:[00000030h]6_2_01326259
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013DA250 mov eax, dword ptr fs:[00000030h]6_2_013DA250
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013DA250 mov eax, dword ptr fs:[00000030h]6_2_013DA250
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A8243 mov eax, dword ptr fs:[00000030h]6_2_013A8243
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A8243 mov ecx, dword ptr fs:[00000030h]6_2_013A8243
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013302A0 mov eax, dword ptr fs:[00000030h]6_2_013302A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013302A0 mov eax, dword ptr fs:[00000030h]6_2_013302A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013B62A0 mov eax, dword ptr fs:[00000030h]6_2_013B62A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013B62A0 mov ecx, dword ptr fs:[00000030h]6_2_013B62A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013B62A0 mov eax, dword ptr fs:[00000030h]6_2_013B62A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013B62A0 mov eax, dword ptr fs:[00000030h]6_2_013B62A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013B62A0 mov eax, dword ptr fs:[00000030h]6_2_013B62A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013B62A0 mov eax, dword ptr fs:[00000030h]6_2_013B62A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135E284 mov eax, dword ptr fs:[00000030h]6_2_0135E284
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135E284 mov eax, dword ptr fs:[00000030h]6_2_0135E284
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A0283 mov eax, dword ptr fs:[00000030h]6_2_013A0283
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A0283 mov eax, dword ptr fs:[00000030h]6_2_013A0283
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A0283 mov eax, dword ptr fs:[00000030h]6_2_013A0283
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013302E1 mov eax, dword ptr fs:[00000030h]6_2_013302E1
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013302E1 mov eax, dword ptr fs:[00000030h]6_2_013302E1
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013302E1 mov eax, dword ptr fs:[00000030h]6_2_013302E1
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F62D6 mov eax, dword ptr fs:[00000030h]6_2_013F62D6
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132A2C3 mov eax, dword ptr fs:[00000030h]6_2_0132A2C3
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132A2C3 mov eax, dword ptr fs:[00000030h]6_2_0132A2C3
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132A2C3 mov eax, dword ptr fs:[00000030h]6_2_0132A2C3
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132A2C3 mov eax, dword ptr fs:[00000030h]6_2_0132A2C3
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132A2C3 mov eax, dword ptr fs:[00000030h]6_2_0132A2C3
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01330535 mov eax, dword ptr fs:[00000030h]6_2_01330535
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01330535 mov eax, dword ptr fs:[00000030h]6_2_01330535
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01330535 mov eax, dword ptr fs:[00000030h]6_2_01330535
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01330535 mov eax, dword ptr fs:[00000030h]6_2_01330535
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01330535 mov eax, dword ptr fs:[00000030h]6_2_01330535
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01330535 mov eax, dword ptr fs:[00000030h]6_2_01330535
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134E53E mov eax, dword ptr fs:[00000030h]6_2_0134E53E
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134E53E mov eax, dword ptr fs:[00000030h]6_2_0134E53E
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134E53E mov eax, dword ptr fs:[00000030h]6_2_0134E53E
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134E53E mov eax, dword ptr fs:[00000030h]6_2_0134E53E
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134E53E mov eax, dword ptr fs:[00000030h]6_2_0134E53E
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013B6500 mov eax, dword ptr fs:[00000030h]6_2_013B6500
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F4500 mov eax, dword ptr fs:[00000030h]6_2_013F4500
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F4500 mov eax, dword ptr fs:[00000030h]6_2_013F4500
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F4500 mov eax, dword ptr fs:[00000030h]6_2_013F4500
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F4500 mov eax, dword ptr fs:[00000030h]6_2_013F4500
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F4500 mov eax, dword ptr fs:[00000030h]6_2_013F4500
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F4500 mov eax, dword ptr fs:[00000030h]6_2_013F4500
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F4500 mov eax, dword ptr fs:[00000030h]6_2_013F4500
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135656A mov eax, dword ptr fs:[00000030h]6_2_0135656A
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135656A mov eax, dword ptr fs:[00000030h]6_2_0135656A
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135656A mov eax, dword ptr fs:[00000030h]6_2_0135656A
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01328550 mov eax, dword ptr fs:[00000030h]6_2_01328550
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01328550 mov eax, dword ptr fs:[00000030h]6_2_01328550
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013445B1 mov eax, dword ptr fs:[00000030h]6_2_013445B1
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013445B1 mov eax, dword ptr fs:[00000030h]6_2_013445B1
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A05A7 mov eax, dword ptr fs:[00000030h]6_2_013A05A7
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A05A7 mov eax, dword ptr fs:[00000030h]6_2_013A05A7
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A05A7 mov eax, dword ptr fs:[00000030h]6_2_013A05A7
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135E59C mov eax, dword ptr fs:[00000030h]6_2_0135E59C
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01322582 mov eax, dword ptr fs:[00000030h]6_2_01322582
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01322582 mov ecx, dword ptr fs:[00000030h]6_2_01322582
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01354588 mov eax, dword ptr fs:[00000030h]6_2_01354588
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013225E0 mov eax, dword ptr fs:[00000030h]6_2_013225E0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134E5E7 mov eax, dword ptr fs:[00000030h]6_2_0134E5E7
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134E5E7 mov eax, dword ptr fs:[00000030h]6_2_0134E5E7
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134E5E7 mov eax, dword ptr fs:[00000030h]6_2_0134E5E7
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134E5E7 mov eax, dword ptr fs:[00000030h]6_2_0134E5E7
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134E5E7 mov eax, dword ptr fs:[00000030h]6_2_0134E5E7
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134E5E7 mov eax, dword ptr fs:[00000030h]6_2_0134E5E7
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134E5E7 mov eax, dword ptr fs:[00000030h]6_2_0134E5E7
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134E5E7 mov eax, dword ptr fs:[00000030h]6_2_0134E5E7
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135C5ED mov eax, dword ptr fs:[00000030h]6_2_0135C5ED
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135C5ED mov eax, dword ptr fs:[00000030h]6_2_0135C5ED
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013265D0 mov eax, dword ptr fs:[00000030h]6_2_013265D0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135A5D0 mov eax, dword ptr fs:[00000030h]6_2_0135A5D0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135A5D0 mov eax, dword ptr fs:[00000030h]6_2_0135A5D0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135E5CF mov eax, dword ptr fs:[00000030h]6_2_0135E5CF
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135E5CF mov eax, dword ptr fs:[00000030h]6_2_0135E5CF
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0131E420 mov eax, dword ptr fs:[00000030h]6_2_0131E420
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0131E420 mov eax, dword ptr fs:[00000030h]6_2_0131E420
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0131E420 mov eax, dword ptr fs:[00000030h]6_2_0131E420
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0131C427 mov eax, dword ptr fs:[00000030h]6_2_0131C427
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A6420 mov eax, dword ptr fs:[00000030h]6_2_013A6420
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A6420 mov eax, dword ptr fs:[00000030h]6_2_013A6420
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A6420 mov eax, dword ptr fs:[00000030h]6_2_013A6420
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A6420 mov eax, dword ptr fs:[00000030h]6_2_013A6420
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A6420 mov eax, dword ptr fs:[00000030h]6_2_013A6420
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A6420 mov eax, dword ptr fs:[00000030h]6_2_013A6420
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A6420 mov eax, dword ptr fs:[00000030h]6_2_013A6420
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01358402 mov eax, dword ptr fs:[00000030h]6_2_01358402
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01358402 mov eax, dword ptr fs:[00000030h]6_2_01358402
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01358402 mov eax, dword ptr fs:[00000030h]6_2_01358402
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134A470 mov eax, dword ptr fs:[00000030h]6_2_0134A470
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134A470 mov eax, dword ptr fs:[00000030h]6_2_0134A470
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134A470 mov eax, dword ptr fs:[00000030h]6_2_0134A470
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013AC460 mov ecx, dword ptr fs:[00000030h]6_2_013AC460
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013DA456 mov eax, dword ptr fs:[00000030h]6_2_013DA456
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0131645D mov eax, dword ptr fs:[00000030h]6_2_0131645D
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134245A mov eax, dword ptr fs:[00000030h]6_2_0134245A
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135E443 mov eax, dword ptr fs:[00000030h]6_2_0135E443
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135E443 mov eax, dword ptr fs:[00000030h]6_2_0135E443
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135E443 mov eax, dword ptr fs:[00000030h]6_2_0135E443
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135E443 mov eax, dword ptr fs:[00000030h]6_2_0135E443
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135E443 mov eax, dword ptr fs:[00000030h]6_2_0135E443
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135E443 mov eax, dword ptr fs:[00000030h]6_2_0135E443
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135E443 mov eax, dword ptr fs:[00000030h]6_2_0135E443
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135E443 mov eax, dword ptr fs:[00000030h]6_2_0135E443
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013544B0 mov ecx, dword ptr fs:[00000030h]6_2_013544B0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013AA4B0 mov eax, dword ptr fs:[00000030h]6_2_013AA4B0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013264AB mov eax, dword ptr fs:[00000030h]6_2_013264AB
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013DA49A mov eax, dword ptr fs:[00000030h]6_2_013DA49A
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013204E5 mov ecx, dword ptr fs:[00000030h]6_2_013204E5
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135273C mov eax, dword ptr fs:[00000030h]6_2_0135273C
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135273C mov ecx, dword ptr fs:[00000030h]6_2_0135273C
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135273C mov eax, dword ptr fs:[00000030h]6_2_0135273C
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139C730 mov eax, dword ptr fs:[00000030h]6_2_0139C730
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135C720 mov eax, dword ptr fs:[00000030h]6_2_0135C720
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135C720 mov eax, dword ptr fs:[00000030h]6_2_0135C720
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01320710 mov eax, dword ptr fs:[00000030h]6_2_01320710
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01350710 mov eax, dword ptr fs:[00000030h]6_2_01350710
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135C700 mov eax, dword ptr fs:[00000030h]6_2_0135C700
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01328770 mov eax, dword ptr fs:[00000030h]6_2_01328770
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]6_2_01330770
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]6_2_01330770
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]6_2_01330770
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]6_2_01330770
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]6_2_01330770
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]6_2_01330770
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]6_2_01330770
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]6_2_01330770
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]6_2_01330770
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]6_2_01330770
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]6_2_01330770
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01330770 mov eax, dword ptr fs:[00000030h]6_2_01330770
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01320750 mov eax, dword ptr fs:[00000030h]6_2_01320750
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362750 mov eax, dword ptr fs:[00000030h]6_2_01362750
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362750 mov eax, dword ptr fs:[00000030h]6_2_01362750
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013AE75D mov eax, dword ptr fs:[00000030h]6_2_013AE75D
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A4755 mov eax, dword ptr fs:[00000030h]6_2_013A4755
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135674D mov esi, dword ptr fs:[00000030h]6_2_0135674D
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135674D mov eax, dword ptr fs:[00000030h]6_2_0135674D
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135674D mov eax, dword ptr fs:[00000030h]6_2_0135674D
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013207AF mov eax, dword ptr fs:[00000030h]6_2_013207AF
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013D47A0 mov eax, dword ptr fs:[00000030h]6_2_013D47A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013C678E mov eax, dword ptr fs:[00000030h]6_2_013C678E
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013247FB mov eax, dword ptr fs:[00000030h]6_2_013247FB
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013247FB mov eax, dword ptr fs:[00000030h]6_2_013247FB
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013427ED mov eax, dword ptr fs:[00000030h]6_2_013427ED
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013427ED mov eax, dword ptr fs:[00000030h]6_2_013427ED
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013427ED mov eax, dword ptr fs:[00000030h]6_2_013427ED
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013AE7E1 mov eax, dword ptr fs:[00000030h]6_2_013AE7E1
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132C7C0 mov eax, dword ptr fs:[00000030h]6_2_0132C7C0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A07C3 mov eax, dword ptr fs:[00000030h]6_2_013A07C3
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0133E627 mov eax, dword ptr fs:[00000030h]6_2_0133E627
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01356620 mov eax, dword ptr fs:[00000030h]6_2_01356620
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01358620 mov eax, dword ptr fs:[00000030h]6_2_01358620
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132262C mov eax, dword ptr fs:[00000030h]6_2_0132262C
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01362619 mov eax, dword ptr fs:[00000030h]6_2_01362619
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139E609 mov eax, dword ptr fs:[00000030h]6_2_0139E609
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0133260B mov eax, dword ptr fs:[00000030h]6_2_0133260B
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0133260B mov eax, dword ptr fs:[00000030h]6_2_0133260B
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0133260B mov eax, dword ptr fs:[00000030h]6_2_0133260B
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0133260B mov eax, dword ptr fs:[00000030h]6_2_0133260B
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0133260B mov eax, dword ptr fs:[00000030h]6_2_0133260B
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0133260B mov eax, dword ptr fs:[00000030h]6_2_0133260B
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0133260B mov eax, dword ptr fs:[00000030h]6_2_0133260B
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01352674 mov eax, dword ptr fs:[00000030h]6_2_01352674
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013E866E mov eax, dword ptr fs:[00000030h]6_2_013E866E
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013E866E mov eax, dword ptr fs:[00000030h]6_2_013E866E
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135A660 mov eax, dword ptr fs:[00000030h]6_2_0135A660
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135A660 mov eax, dword ptr fs:[00000030h]6_2_0135A660
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0133C640 mov eax, dword ptr fs:[00000030h]6_2_0133C640
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013566B0 mov eax, dword ptr fs:[00000030h]6_2_013566B0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135C6A6 mov eax, dword ptr fs:[00000030h]6_2_0135C6A6
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01324690 mov eax, dword ptr fs:[00000030h]6_2_01324690
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01324690 mov eax, dword ptr fs:[00000030h]6_2_01324690
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139E6F2 mov eax, dword ptr fs:[00000030h]6_2_0139E6F2
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139E6F2 mov eax, dword ptr fs:[00000030h]6_2_0139E6F2
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139E6F2 mov eax, dword ptr fs:[00000030h]6_2_0139E6F2
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139E6F2 mov eax, dword ptr fs:[00000030h]6_2_0139E6F2
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A06F1 mov eax, dword ptr fs:[00000030h]6_2_013A06F1
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A06F1 mov eax, dword ptr fs:[00000030h]6_2_013A06F1
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135A6C7 mov ebx, dword ptr fs:[00000030h]6_2_0135A6C7
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135A6C7 mov eax, dword ptr fs:[00000030h]6_2_0135A6C7
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A892A mov eax, dword ptr fs:[00000030h]6_2_013A892A
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013B892B mov eax, dword ptr fs:[00000030h]6_2_013B892B
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013AC912 mov eax, dword ptr fs:[00000030h]6_2_013AC912
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01318918 mov eax, dword ptr fs:[00000030h]6_2_01318918
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01318918 mov eax, dword ptr fs:[00000030h]6_2_01318918
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139E908 mov eax, dword ptr fs:[00000030h]6_2_0139E908
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139E908 mov eax, dword ptr fs:[00000030h]6_2_0139E908
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013C4978 mov eax, dword ptr fs:[00000030h]6_2_013C4978
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013C4978 mov eax, dword ptr fs:[00000030h]6_2_013C4978
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013AC97C mov eax, dword ptr fs:[00000030h]6_2_013AC97C
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01346962 mov eax, dword ptr fs:[00000030h]6_2_01346962
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01346962 mov eax, dword ptr fs:[00000030h]6_2_01346962
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01346962 mov eax, dword ptr fs:[00000030h]6_2_01346962
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0136096E mov eax, dword ptr fs:[00000030h]6_2_0136096E
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0136096E mov edx, dword ptr fs:[00000030h]6_2_0136096E
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0136096E mov eax, dword ptr fs:[00000030h]6_2_0136096E
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A0946 mov eax, dword ptr fs:[00000030h]6_2_013A0946
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F4940 mov eax, dword ptr fs:[00000030h]6_2_013F4940
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A89B3 mov esi, dword ptr fs:[00000030h]6_2_013A89B3
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A89B3 mov eax, dword ptr fs:[00000030h]6_2_013A89B3
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013A89B3 mov eax, dword ptr fs:[00000030h]6_2_013A89B3
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]6_2_013329A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]6_2_013329A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]6_2_013329A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]6_2_013329A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]6_2_013329A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]6_2_013329A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]6_2_013329A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]6_2_013329A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]6_2_013329A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]6_2_013329A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]6_2_013329A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]6_2_013329A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013329A0 mov eax, dword ptr fs:[00000030h]6_2_013329A0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013209AD mov eax, dword ptr fs:[00000030h]6_2_013209AD
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013209AD mov eax, dword ptr fs:[00000030h]6_2_013209AD
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013529F9 mov eax, dword ptr fs:[00000030h]6_2_013529F9
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013529F9 mov eax, dword ptr fs:[00000030h]6_2_013529F9
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013AE9E0 mov eax, dword ptr fs:[00000030h]6_2_013AE9E0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132A9D0 mov eax, dword ptr fs:[00000030h]6_2_0132A9D0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132A9D0 mov eax, dword ptr fs:[00000030h]6_2_0132A9D0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132A9D0 mov eax, dword ptr fs:[00000030h]6_2_0132A9D0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132A9D0 mov eax, dword ptr fs:[00000030h]6_2_0132A9D0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132A9D0 mov eax, dword ptr fs:[00000030h]6_2_0132A9D0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132A9D0 mov eax, dword ptr fs:[00000030h]6_2_0132A9D0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013549D0 mov eax, dword ptr fs:[00000030h]6_2_013549D0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013EA9D3 mov eax, dword ptr fs:[00000030h]6_2_013EA9D3
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013B69C0 mov eax, dword ptr fs:[00000030h]6_2_013B69C0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01342835 mov eax, dword ptr fs:[00000030h]6_2_01342835
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01342835 mov eax, dword ptr fs:[00000030h]6_2_01342835
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01342835 mov eax, dword ptr fs:[00000030h]6_2_01342835
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01342835 mov ecx, dword ptr fs:[00000030h]6_2_01342835
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01342835 mov eax, dword ptr fs:[00000030h]6_2_01342835
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01342835 mov eax, dword ptr fs:[00000030h]6_2_01342835
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135A830 mov eax, dword ptr fs:[00000030h]6_2_0135A830
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013C483A mov eax, dword ptr fs:[00000030h]6_2_013C483A
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013C483A mov eax, dword ptr fs:[00000030h]6_2_013C483A
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013AC810 mov eax, dword ptr fs:[00000030h]6_2_013AC810
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013AE872 mov eax, dword ptr fs:[00000030h]6_2_013AE872
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013AE872 mov eax, dword ptr fs:[00000030h]6_2_013AE872
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013B6870 mov eax, dword ptr fs:[00000030h]6_2_013B6870
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013B6870 mov eax, dword ptr fs:[00000030h]6_2_013B6870
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01350854 mov eax, dword ptr fs:[00000030h]6_2_01350854
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01324859 mov eax, dword ptr fs:[00000030h]6_2_01324859
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01324859 mov eax, dword ptr fs:[00000030h]6_2_01324859
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01332840 mov ecx, dword ptr fs:[00000030h]6_2_01332840
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013AC89D mov eax, dword ptr fs:[00000030h]6_2_013AC89D
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01320887 mov eax, dword ptr fs:[00000030h]6_2_01320887
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135C8F9 mov eax, dword ptr fs:[00000030h]6_2_0135C8F9
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135C8F9 mov eax, dword ptr fs:[00000030h]6_2_0135C8F9
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013EA8E4 mov eax, dword ptr fs:[00000030h]6_2_013EA8E4
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134E8C0 mov eax, dword ptr fs:[00000030h]6_2_0134E8C0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F08C0 mov eax, dword ptr fs:[00000030h]6_2_013F08C0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134EB20 mov eax, dword ptr fs:[00000030h]6_2_0134EB20
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134EB20 mov eax, dword ptr fs:[00000030h]6_2_0134EB20
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013E8B28 mov eax, dword ptr fs:[00000030h]6_2_013E8B28
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013E8B28 mov eax, dword ptr fs:[00000030h]6_2_013E8B28
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]6_2_0139EB1D
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]6_2_0139EB1D
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]6_2_0139EB1D
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]6_2_0139EB1D
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]6_2_0139EB1D
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]6_2_0139EB1D
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]6_2_0139EB1D
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]6_2_0139EB1D
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139EB1D mov eax, dword ptr fs:[00000030h]6_2_0139EB1D
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F4B00 mov eax, dword ptr fs:[00000030h]6_2_013F4B00
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0131CB7E mov eax, dword ptr fs:[00000030h]6_2_0131CB7E
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01318B50 mov eax, dword ptr fs:[00000030h]6_2_01318B50
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F2B57 mov eax, dword ptr fs:[00000030h]6_2_013F2B57
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F2B57 mov eax, dword ptr fs:[00000030h]6_2_013F2B57
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F2B57 mov eax, dword ptr fs:[00000030h]6_2_013F2B57
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013F2B57 mov eax, dword ptr fs:[00000030h]6_2_013F2B57
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CEB50 mov eax, dword ptr fs:[00000030h]6_2_013CEB50
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013D4B4B mov eax, dword ptr fs:[00000030h]6_2_013D4B4B
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013D4B4B mov eax, dword ptr fs:[00000030h]6_2_013D4B4B
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013B6B40 mov eax, dword ptr fs:[00000030h]6_2_013B6B40
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013B6B40 mov eax, dword ptr fs:[00000030h]6_2_013B6B40
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013EAB40 mov eax, dword ptr fs:[00000030h]6_2_013EAB40
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013C8B42 mov eax, dword ptr fs:[00000030h]6_2_013C8B42
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01330BBE mov eax, dword ptr fs:[00000030h]6_2_01330BBE
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01330BBE mov eax, dword ptr fs:[00000030h]6_2_01330BBE
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013D4BB0 mov eax, dword ptr fs:[00000030h]6_2_013D4BB0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013D4BB0 mov eax, dword ptr fs:[00000030h]6_2_013D4BB0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01328BF0 mov eax, dword ptr fs:[00000030h]6_2_01328BF0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01328BF0 mov eax, dword ptr fs:[00000030h]6_2_01328BF0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01328BF0 mov eax, dword ptr fs:[00000030h]6_2_01328BF0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134EBFC mov eax, dword ptr fs:[00000030h]6_2_0134EBFC
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013ACBF0 mov eax, dword ptr fs:[00000030h]6_2_013ACBF0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CEBD0 mov eax, dword ptr fs:[00000030h]6_2_013CEBD0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01340BCB mov eax, dword ptr fs:[00000030h]6_2_01340BCB
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01340BCB mov eax, dword ptr fs:[00000030h]6_2_01340BCB
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01340BCB mov eax, dword ptr fs:[00000030h]6_2_01340BCB
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01320BCD mov eax, dword ptr fs:[00000030h]6_2_01320BCD
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01320BCD mov eax, dword ptr fs:[00000030h]6_2_01320BCD
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01320BCD mov eax, dword ptr fs:[00000030h]6_2_01320BCD
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01344A35 mov eax, dword ptr fs:[00000030h]6_2_01344A35
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01344A35 mov eax, dword ptr fs:[00000030h]6_2_01344A35
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135CA24 mov eax, dword ptr fs:[00000030h]6_2_0135CA24
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0134EA2E mov eax, dword ptr fs:[00000030h]6_2_0134EA2E
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013ACA11 mov eax, dword ptr fs:[00000030h]6_2_013ACA11
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139CA72 mov eax, dword ptr fs:[00000030h]6_2_0139CA72
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0139CA72 mov eax, dword ptr fs:[00000030h]6_2_0139CA72
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135CA6F mov eax, dword ptr fs:[00000030h]6_2_0135CA6F
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135CA6F mov eax, dword ptr fs:[00000030h]6_2_0135CA6F
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0135CA6F mov eax, dword ptr fs:[00000030h]6_2_0135CA6F
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_013CEA60 mov eax, dword ptr fs:[00000030h]6_2_013CEA60
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01326A50 mov eax, dword ptr fs:[00000030h]6_2_01326A50
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01326A50 mov eax, dword ptr fs:[00000030h]6_2_01326A50
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01326A50 mov eax, dword ptr fs:[00000030h]6_2_01326A50
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01326A50 mov eax, dword ptr fs:[00000030h]6_2_01326A50
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01326A50 mov eax, dword ptr fs:[00000030h]6_2_01326A50
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01326A50 mov eax, dword ptr fs:[00000030h]6_2_01326A50
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01326A50 mov eax, dword ptr fs:[00000030h]6_2_01326A50
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01330A5B mov eax, dword ptr fs:[00000030h]6_2_01330A5B
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01330A5B mov eax, dword ptr fs:[00000030h]6_2_01330A5B
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01328AA0 mov eax, dword ptr fs:[00000030h]6_2_01328AA0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01328AA0 mov eax, dword ptr fs:[00000030h]6_2_01328AA0
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01376AA4 mov eax, dword ptr fs:[00000030h]6_2_01376AA4
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_01358A90 mov edx, dword ptr fs:[00000030h]6_2_01358A90
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]6_2_0132EA80
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]6_2_0132EA80
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]6_2_0132EA80
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]6_2_0132EA80
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]6_2_0132EA80
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]6_2_0132EA80
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]6_2_0132EA80
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]6_2_0132EA80
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeCode function: 6_2_0132EA80 mov eax, dword ptr fs:[00000030h]6_2_0132EA80
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"Jump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeNtClose: Indirect: 0x12CA56C
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeNtQueueApcThread: Indirect: 0x12CA4F2Jump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeNtClose: Indirect: 0xD9A56C
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeNtQueueApcThread: Indirect: 0xD9A4F2
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeMemory written: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeMemory written: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeThread register set: target process: 2580Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeThread register set: target process: 2580
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeThread register set: target process: 2580
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeSection unmapped: C:\Windows\SysWOW64\explorer.exe base address: B10000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeSection unmapped: C:\Windows\SysWOW64\mstsc.exe base address: B30000
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"Jump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D16.tmp"Jump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeProcess created: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9CC5.tmp"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeProcess created: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe"
          Source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1781377262.0000000003050000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4141043818.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000007.00000002.4141043818.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1717650869.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: z8eokahasflcrscooplasb.exe, 00000006.00000002.1781377262.0000000003050000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4140142855.0000000000B10000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: f+SDefaultShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells/NoUACCheck/NoShellRegistrationAndUACCheck/NoShellRegistrationCheckProxy DesktopProgmanLocal\ExplorerIsShellMutex
          Source: explorer.exe, 00000007.00000002.4140317801.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1717337994.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
          Source: explorer.exe, 00000007.00000002.4141043818.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1717650869.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000007.00000002.4141043818.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1717650869.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeQueries volume information: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\z8eokahasflcrscooplasb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.z8eokahasflcrscooplasb.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.z8eokahasflcrscooplasb.exe.4dd86b8.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.hmlPTospxjGJ.exe.49f9498.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.z8eokahasflcrscooplasb.exe.4d68898.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.hmlPTospxjGJ.exe.4989678.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Scheduled Task/Job
          1
          Scheduled Task/Job
          512
          Process Injection
          1
          Masquerading
          OS Credential Dumping321
          Security Software Discovery
          Remote Services1
          Archive Collected Data
          1
          Encrypted Channel
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Shared Modules
          1
          DLL Side-Loading
          1
          Scheduled Task/Job
          11
          Disable or Modify Tools
          LSASS Memory2
          Process Discovery
          Remote Desktop ProtocolData from Removable Media1
          Non-Application Layer Protocol
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          Abuse Elevation Control Mechanism
          41
          Virtualization/Sandbox Evasion
          Security Account Manager41
          Virtualization/Sandbox Evasion
          SMB/Windows Admin SharesData from Network Shared Drive11
          Application Layer Protocol
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          DLL Side-Loading
          512
          Process Injection
          NTDS1
          Application Window Discovery
          Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information
          LSA Secrets2
          File and Directory Discovery
          SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Abuse Elevation Control Mechanism
          Cached Domain Credentials212
          System Information Discovery
          VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
          Obfuscated Files or Information
          DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
          Software Packing
          Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          DLL Side-Loading
          /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544269 Sample: z8eokahasflcrscooplasb.exe Startdate: 29/10/2024 Architecture: WINDOWS Score: 100 55 www.mile-hkajwx.xyz 2->55 57 www.ysticsmoke.net 2->57 59 9 other IPs or domains 2->59 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus / Scanner detection for submitted sample 2->77 81 10 other signatures 2->81 11 z8eokahasflcrscooplasb.exe 7 2->11         started        15 hmlPTospxjGJ.exe 5 2->15         started        signatures3 79 Performs DNS queries to domains with low reputation 55->79 process4 file5 47 C:\Users\user\AppData\...\hmlPTospxjGJ.exe, PE32 11->47 dropped 49 C:\Users\...\hmlPTospxjGJ.exe:Zone.Identifier, ASCII 11->49 dropped 51 C:\Users\user\AppData\Local\...\tmp8D16.tmp, XML 11->51 dropped 53 C:\Users\...\z8eokahasflcrscooplasb.exe.log, ASCII 11->53 dropped 91 Uses schtasks.exe or at.exe to add and modify task schedules 11->91 93 Adds a directory exclusion to Windows Defender 11->93 95 Tries to detect virtualization through RDTSC time measurements 11->95 103 2 other signatures 11->103 17 z8eokahasflcrscooplasb.exe 11->17         started        20 powershell.exe 23 11->20         started        22 schtasks.exe 1 11->22         started        97 Antivirus detection for dropped file 15->97 99 Multi AV Scanner detection for dropped file 15->99 101 Machine Learning detection for dropped file 15->101 24 hmlPTospxjGJ.exe 15->24         started        26 schtasks.exe 15->26         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 17->61 63 Maps a DLL or memory area into another process 17->63 65 Sample uses process hollowing technique 17->65 67 Queues an APC in another process (thread injection) 17->67 28 explorer.exe 67 1 17->28 injected 69 Loading BitLocker PowerShell Module 20->69 30 WmiPrvSE.exe 20->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        71 Found direct / indirect Syscall (likely to bypass EDR) 24->71 36 conhost.exe 26->36         started        process9 process10 38 explorer.exe 28->38         started        41 mstsc.exe 28->41         started        signatures11 83 Modifies the context of a thread in another process (thread injection) 38->83 85 Maps a DLL or memory area into another process 38->85 87 Tries to detect virtualization through RDTSC time measurements 38->87 89 Switches to a custom stack to bypass stack traces 38->89 43 cmd.exe 38->43         started        process12 process13 45 conhost.exe 43->45         started       

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          z8eokahasflcrscooplasb.exe42%ReversingLabsByteCode-MSIL.Trojan.Leonem
          z8eokahasflcrscooplasb.exe50%VirustotalBrowse
          z8eokahasflcrscooplasb.exe100%AviraHEUR/AGEN.1309540
          z8eokahasflcrscooplasb.exe100%Joe Sandbox ML
          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe100%AviraHEUR/AGEN.1309540
          C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe42%ReversingLabsByteCode-MSIL.Trojan.Leonem
          No Antivirus matches
          SourceDetectionScannerLabelLink
          www.orty.pro0%VirustotalBrowse
          www.ysticsmoke.net0%VirustotalBrowse
          www.mile-hkajwx.xyz0%VirustotalBrowse
          www.f9813.top0%VirustotalBrowse
          SourceDetectionScannerLabelLink
          https://aka.ms/odirmr0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
          https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
          http://www.fontbureau.com/designers0%URL Reputationsafe
          https://excel.office.com0%URL Reputationsafe
          https://simpleflying.com/how-do-you-become-an-air-traffic-controller/0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg0%URL Reputationsafe
          https://wns.windows.com/L0%URL Reputationsafe
          https://word.office.com0%URL Reputationsafe
          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu0%URL Reputationsafe
          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu0%URL Reputationsafe
          http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark0%URL Reputationsafe
          https://www.rd.com/list/polite-habits-campers-dislike/0%URL Reputationsafe
          https://android.notify.windows.com/iOS0%URL Reputationsafe
          https://outlook.com_0%URL Reputationsafe
          https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe0%URL Reputationsafe
          http://www.fontbureau.com/designersG0%URL Reputationsafe
          http://www.fontbureau.com/designers/?0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.fontbureau.com/designers?0%URL Reputationsafe
          https://powerpoint.office.comcember0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          https://api.msn.com/q0%URL Reputationsafe
          https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc0%URL Reputationsafe
          http://www.fonts.com0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          NameIPActiveMaliciousAntivirus DetectionReputation
          www.orty.pro
          unknown
          unknowntrueunknown
          www.ysticsmoke.net
          unknown
          unknowntrueunknown
          www.f9813.top
          unknown
          unknowntrueunknown
          www.mile-hkajwx.xyz
          unknown
          unknowntrueunknown
          www.ysterywarrior932.top
          unknown
          unknowntrue
            unknown
            www.pigramescentfeatous.shop
            unknown
            unknowntrue
              unknown
              www.ood-packing-iasehq19x224.today
              unknown
              unknowntrue
                unknown
                www.wlkflwef3sf2wf.top
                unknown
                unknowntrue
                  unknown
                  www.lindsandfurnishings.shop
                  unknown
                  unknowntrue
                    unknown
                    www.ozezae7.pro
                    unknown
                    unknowntrue
                      unknown
                      www.anceibizamagazine.net
                      unknown
                      unknowntrue
                        unknown
                        NameMaliciousAntivirus DetectionReputation
                        www.31231851.xyz/dn13/true
                          unknown
                          NameSourceMaliciousAntivirus DetectionReputation
                          https://aka.ms/odirmrexplorer.exe, 00000007.00000002.4144709532.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.pigramescentfeatous.shopReferer:explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                            unknown
                            http://www.trennebaffinbayamon.cfdexplorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                              unknown
                              http://www.f9813.top/dn13/explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                unknown
                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.anceibizamagazine.net/dn13/explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                  unknown
                                  https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000007.00000003.3112970647.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4147605314.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.ood-packing-iasehq19x224.today/dn13/explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                    unknown
                                    http://www.fontbureau.com/designersz8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.ysticsmoke.net/dn13/explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                      unknown
                                      http://www.lindsandfurnishings.shop/dn13/www.ysticsmoke.netexplorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                        unknown
                                        http://www.wlkflwef3sf2wf.top/dn13/explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          unknown
                                          https://excel.office.comexplorer.exe, 00000007.00000000.1736493405.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4150366155.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111370525.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3486378927.000000000C5E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                            unknown
                                            https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.sajatypeworks.comz8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.founder.com.cn/cn/cThez8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.outya.xyzexplorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                              unknown
                                              http://www.pigramescentfeatous.shopexplorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                unknown
                                                http://www.mile-hkajwx.xyz/dn13/explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  unknown
                                                  http://www.outya.xyz/dn13/www.f9813.topexplorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    unknown
                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.trennebaffinbayamon.cfdReferer:explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      unknown
                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000007.00000002.4144709532.00000000078A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.trennebaffinbayamon.cfd/dn13/www.ashclub.xyzexplorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        unknown
                                                        http://www.mile-hkajwx.xyzexplorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          unknown
                                                          http://www.galapagosdesign.com/DPleasez8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.mile-hkajwx.xyzReferer:explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            unknown
                                                            http://www.wlkflwef3sf2wf.topReferer:explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              unknown
                                                              https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000007.00000003.3110797722.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1736493405.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.orty.proexplorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                unknown
                                                                http://www.urwpp.deDPleasez8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.zhongyicts.com.cnz8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namez8eokahasflcrscooplasb.exe, 00000000.00000002.1737247647.0000000003572000.00000004.00000800.00020000.00000000.sdmp, hmlPTospxjGJ.exe, 00000008.00000002.1779409471.0000000003140000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.anceibizamagazine.netReferer:explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  unknown
                                                                  http://www.trennebaffinbayamon.cfd/dn13/explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    unknown
                                                                    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000007.00000003.3110687045.000000000C9AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4151466263.000000000C9AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108517681.000000000C9A5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485621993.000000000C9AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1736493405.000000000C964000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      unknown
                                                                      https://wns.windows.com/Lexplorer.exe, 00000007.00000002.4150366155.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      http://www.mile-hkajwx.xyz/dn13/www.ood-packing-iasehq19x224.todayexplorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        unknown
                                                                        https://word.office.comexplorer.exe, 00000007.00000000.1736493405.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4150366155.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111370525.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3486378927.000000000C5E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        http://www.wlkflwef3sf2wf.topexplorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          unknown
                                                                          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000007.00000002.4144709532.00000000078A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          http://www.ysticsmoke.net/dn13/www.pigramescentfeatous.shopexplorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            unknown
                                                                            http://www.lindsandfurnishings.shopexplorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              unknown
                                                                              https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                unknown
                                                                                http://www.anceibizamagazine.netexplorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  unknown
                                                                                  https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  http://www.ozezae7.proexplorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    unknown
                                                                                    https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      unknown
                                                                                      http://www.ashclub.xyzReferer:explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        unknown
                                                                                        http://www.ysterywarrior932.topReferer:explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          unknown
                                                                                          http://www.carterandcone.comlz8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          unknown
                                                                                          http://www.f9813.top/dn13/www.trennebaffinbayamon.cfdexplorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            unknown
                                                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            unknown
                                                                                            http://www.outya.xyz/dn13/explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              unknown
                                                                                              http://www.fontbureau.com/designers/frere-user.htmlz8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              unknown
                                                                                              http://www.pigramescentfeatous.shop/dn13/explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                unknown
                                                                                                http://www.ood-packing-iasehq19x224.todayReferer:explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  unknown
                                                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  unknown
                                                                                                  https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  unknown
                                                                                                  https://android.notify.windows.com/iOSexplorer.exe, 00000007.00000000.1736493405.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  unknown
                                                                                                  http://www.orty.pro/dn13/www.lindsandfurnishings.shopexplorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    unknown
                                                                                                    http://www.p9eh2s99b5.topexplorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      unknown
                                                                                                      https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000007.00000002.4144709532.00000000078A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        unknown
                                                                                                        http://www.pigramescentfeatous.shop/dn13/www.outya.xyzexplorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          unknown
                                                                                                          https://outlook.com_explorer.exe, 00000007.00000000.1736493405.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4150366155.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111370525.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3486378927.000000000C5E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          unknown
                                                                                                          http://www.31231851.xyzReferer:explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            unknown
                                                                                                            https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            unknown
                                                                                                            https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              unknown
                                                                                                              http://www.fontbureau.com/designersGz8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              unknown
                                                                                                              http://www.fontbureau.com/designers/?z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              unknown
                                                                                                              http://www.founder.com.cn/cn/bThez8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              unknown
                                                                                                              http://www.p9eh2s99b5.top/dn13/explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                unknown
                                                                                                                http://www.fontbureau.com/designers?z8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                unknown
                                                                                                                https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000007.00000000.1721047830.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  unknown
                                                                                                                  https://powerpoint.office.comcemberexplorer.exe, 00000007.00000000.1736493405.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4150366155.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111370525.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3486378927.000000000C5E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  unknown
                                                                                                                  http://www.orty.pro/dn13/explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    unknown
                                                                                                                    http://www.tiro.comz8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    unknown
                                                                                                                    https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      unknown
                                                                                                                      http://www.ashclub.xyzexplorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        unknown
                                                                                                                        http://www.outya.xyzReferer:explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          unknown
                                                                                                                          http://www.goodfont.co.krz8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          unknown
                                                                                                                          http://schemas.microexplorer.exe, 00000007.00000002.4147007457.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4148545667.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4146548295.0000000007F40000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          unknown
                                                                                                                          http://www.wlkflwef3sf2wf.top/dn13/www.anceibizamagazine.netexplorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            unknown
                                                                                                                            http://www.orty.proReferer:explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              unknown
                                                                                                                              http://www.typography.netDz8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              unknown
                                                                                                                              http://www.ysterywarrior932.top/dn13/www.mile-hkajwx.xyzexplorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                unknown
                                                                                                                                http://www.galapagosdesign.com/staff/dennis.htmz8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                unknown
                                                                                                                                http://www.ashclub.xyz/dn13/www.p9eh2s99b5.topexplorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  unknown
                                                                                                                                  http://www.lindsandfurnishings.shopReferer:explorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    unknown
                                                                                                                                    https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    unknown
                                                                                                                                    https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      unknown
                                                                                                                                      https://api.msn.com/qexplorer.exe, 00000007.00000003.3112970647.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1724892817.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4147605314.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      unknown
                                                                                                                                      https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000007.00000000.1721047830.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4144709532.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      unknown
                                                                                                                                      http://www.fonts.comz8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      unknown
                                                                                                                                      http://www.sandoll.co.krz8eokahasflcrscooplasb.exe, 00000000.00000002.1741214843.0000000007462000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      unknown
                                                                                                                                      http://www.ysticsmoke.netexplorer.exe, 00000007.00000002.4151872889.000000000CB05000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106127214.000000000CB1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3485338167.000000000CB1A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        unknown
                                                                                                                                        No contacted IP infos
                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                        Analysis ID:1544269
                                                                                                                                        Start date and time:2024-10-29 07:31:04 +01:00
                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                        Overall analysis duration:0h 11m 47s
                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                        Report type:full
                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                        Number of analysed new started processes analysed:19
                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                        Number of injected processes analysed:1
                                                                                                                                        Technologies:
                                                                                                                                        • HCA enabled
                                                                                                                                        • EGA enabled
                                                                                                                                        • AMSI enabled
                                                                                                                                        Analysis Mode:default
                                                                                                                                        Sample name:z8eokahasflcrscooplasb.exe
                                                                                                                                        Detection:MAL
                                                                                                                                        Classification:mal100.troj.evad.winEXE@275/11@11/0
                                                                                                                                        EGA Information:
                                                                                                                                        • Successful, ratio: 100%
                                                                                                                                        HCA Information:
                                                                                                                                        • Successful, ratio: 99%
                                                                                                                                        • Number of executed functions: 187
                                                                                                                                        • Number of non-executed functions: 245
                                                                                                                                        Cookbook Comments:
                                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption
                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                        • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                        TimeTypeDescription
                                                                                                                                        02:31:58API Interceptor2x Sleep call for process: z8eokahasflcrscooplasb.exe modified
                                                                                                                                        02:32:00API Interceptor15x Sleep call for process: powershell.exe modified
                                                                                                                                        02:32:00API Interceptor16428685x Sleep call for process: explorer.exe modified
                                                                                                                                        02:32:02API Interceptor2x Sleep call for process: hmlPTospxjGJ.exe modified
                                                                                                                                        06:32:01Task SchedulerRun new task: hmlPTospxjGJ path: C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe
                                                                                                                                        No context
                                                                                                                                        No context
                                                                                                                                        No context
                                                                                                                                        No context
                                                                                                                                        No context
                                                                                                                                        Process:C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe
                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1216
                                                                                                                                        Entropy (8bit):5.34331486778365
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02
                                                                                                                                        Process:C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe
                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1216
                                                                                                                                        Entropy (8bit):5.34331486778365
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                        Malicious:true
                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):2232
                                                                                                                                        Entropy (8bit):5.379401388151058
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:48:fWSU4xc4RTmaoUeW+gZ9tK8NPZHUxL7u1iMuge//ZmUyus:fLHxcIalLgZ2KRHWLOuggs
                                                                                                                                        MD5:9FD1653F89C63CD3E067EF7508AA964D
                                                                                                                                        SHA1:CB3FFD37D9680F8610EFC94979E359651C2EE2EB
                                                                                                                                        SHA-256:8F7DFF97B9E70918B70474AF53FC5B61DB6A5C06D708A6F0CB5533365F5E4228
                                                                                                                                        SHA-512:13D6819143098A457CE566F07A1B001C7F445D9A974834E6C29F0C37E0C0972449E9163A2B3912E1E1A74F378A5E41974BF3A070644EAFD012828F74941F2F65
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.ConfigurationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.4.................%...K... ...........System.Xml..<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):60
                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):60
                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):60
                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):60
                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                        Process:C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe
                                                                                                                                        File Type:XML 1.0 document, ASCII text
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1578
                                                                                                                                        Entropy (8bit):5.112308697100384
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtajxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTUv
                                                                                                                                        MD5:157BFC3A891BD3FB7906AEF57C7F2B03
                                                                                                                                        SHA1:02B9688B66A02BDCEF32258D5DF9B75FB2E6471B
                                                                                                                                        SHA-256:E6EE6580D9AFDE278A39E32F2B062083C486185466A6A638F9F531A433EE6890
                                                                                                                                        SHA-512:350A86E2DF4880460B81E3EB5678F7952A17AF846029B473F5837D3D778A350B2496F01FCA627928F9198207006EF6A5910DBB93CA53421033997438BAA28671
                                                                                                                                        Malicious:true
                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail
                                                                                                                                        Process:C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe
                                                                                                                                        File Type:XML 1.0 document, ASCII text
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1578
                                                                                                                                        Entropy (8bit):5.112308697100384
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtajxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTUv
                                                                                                                                        MD5:157BFC3A891BD3FB7906AEF57C7F2B03
                                                                                                                                        SHA1:02B9688B66A02BDCEF32258D5DF9B75FB2E6471B
                                                                                                                                        SHA-256:E6EE6580D9AFDE278A39E32F2B062083C486185466A6A638F9F531A433EE6890
                                                                                                                                        SHA-512:350A86E2DF4880460B81E3EB5678F7952A17AF846029B473F5837D3D778A350B2496F01FCA627928F9198207006EF6A5910DBB93CA53421033997438BAA28671
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail
                                                                                                                                        Process:C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe
                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):666624
                                                                                                                                        Entropy (8bit):7.671490332830174
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12288:JMRkVqoYve4eWCRO5W9Se/DETPCvTtQdH41lIaPLLrR:eRkVPP49Ip4ebELCvJQx45V
                                                                                                                                        MD5:1660C33123052F15E4E63891F23DDD1E
                                                                                                                                        SHA1:3B93EB0499260F494066D6A28F1238C1C440B04F
                                                                                                                                        SHA-256:44AB353624B9E867AE31A0523437ED8E321F361D248B471C15BD2902255280F3
                                                                                                                                        SHA-512:6C55D8BCFC60D513AE59CAE83EB0EC0EE4B740DD0305664F3997FD9758104E79238D8F9304345DE94C9B76ED8C6FD03F8E66AB72C9F49D55D8A18B5388B58351
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 42%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s g..............0..............4... ...@....@.. ....................................@..................................4..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                        Process:C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe
                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):26
                                                                                                                                        Entropy (8bit):3.95006375643621
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                        Malicious:true
                                                                                                                                        Preview:[ZoneTransfer]....ZoneId=0
                                                                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Entropy (8bit):7.671490332830174
                                                                                                                                        TrID:
                                                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                        File name:z8eokahasflcrscooplasb.exe
                                                                                                                                        File size:666'624 bytes
                                                                                                                                        MD5:1660c33123052f15e4e63891f23ddd1e
                                                                                                                                        SHA1:3b93eb0499260f494066d6a28f1238c1c440b04f
                                                                                                                                        SHA256:44ab353624b9e867ae31a0523437ed8e321f361d248b471c15bd2902255280f3
                                                                                                                                        SHA512:6c55d8bcfc60d513ae59cae83eb0ec0ee4b740dd0305664f3997fd9758104e79238d8f9304345de94c9b76ed8c6fd03f8e66ab72c9f49d55d8a18b5388b58351
                                                                                                                                        SSDEEP:12288:JMRkVqoYve4eWCRO5W9Se/DETPCvTtQdH41lIaPLLrR:eRkVPP49Ip4ebELCvJQx45V
                                                                                                                                        TLSH:42E4D0D03F36731ADE69A934D619EDBA52A11A78B040B9F36ADC3B4735CD211AE0CF41
                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s g..............0..............4... ...@....@.. ....................................@................................
                                                                                                                                        Icon Hash:4d162aaa22324d30
                                                                                                                                        Entrypoint:0x4a34fe
                                                                                                                                        Entrypoint Section:.text
                                                                                                                                        Digitally signed:false
                                                                                                                                        Imagebase:0x400000
                                                                                                                                        Subsystem:windows gui
                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                        Time Stamp:0x672073AC [Tue Oct 29 05:33:32 2024 UTC]
                                                                                                                                        TLS Callbacks:
                                                                                                                                        CLR (.Net) Version:
                                                                                                                                        OS Version Major:4
                                                                                                                                        OS Version Minor:0
                                                                                                                                        File Version Major:4
                                                                                                                                        File Version Minor:0
                                                                                                                                        Subsystem Version Major:4
                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                                                                                        Instruction
                                                                                                                                        jmp dword ptr [00402000h]
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xa34ac0x4f.text
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000xbf0.rsrc
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xa60000xc.reloc
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                        .text0x20000xa15040xa18006560dd15e6fb592f1ccfaffb3d4cd5e6False0.8731844403057275data7.682191163103425IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                        .rsrc0xa40000xbf00xc00dcc1345653a3dca71204b0862214d105False0.5003255208333334data6.207696132972999IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                        .reloc0xa60000xc0x400440dc9ebda04dad2b693f7e515715f5eFalse0.0234375data0.04468700625387198IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                        RT_ICON0xa40c80x823PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.5583293326932309
                                                                                                                                        RT_GROUP_ICON0xa48fc0x14data1.05
                                                                                                                                        RT_VERSION0xa49200x2ccdata0.43156424581005587
                                                                                                                                        DLLImport
                                                                                                                                        mscoree.dll_CorExeMain
                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                        Oct 29, 2024 07:32:36.905491114 CET5970953192.168.2.41.1.1.1
                                                                                                                                        Oct 29, 2024 07:32:36.999651909 CET53597091.1.1.1192.168.2.4
                                                                                                                                        Oct 29, 2024 07:32:56.732836008 CET6246753192.168.2.41.1.1.1
                                                                                                                                        Oct 29, 2024 07:32:56.749761105 CET53624671.1.1.1192.168.2.4
                                                                                                                                        Oct 29, 2024 07:33:16.686333895 CET4994253192.168.2.41.1.1.1
                                                                                                                                        Oct 29, 2024 07:33:16.701570988 CET53499421.1.1.1192.168.2.4
                                                                                                                                        Oct 29, 2024 07:33:37.067966938 CET5064053192.168.2.41.1.1.1
                                                                                                                                        Oct 29, 2024 07:33:37.383001089 CET53506401.1.1.1192.168.2.4
                                                                                                                                        Oct 29, 2024 07:33:57.594007969 CET5219053192.168.2.41.1.1.1
                                                                                                                                        Oct 29, 2024 07:33:57.604242086 CET53521901.1.1.1192.168.2.4
                                                                                                                                        Oct 29, 2024 07:34:18.621787071 CET5370653192.168.2.41.1.1.1
                                                                                                                                        Oct 29, 2024 07:34:18.637233973 CET53537061.1.1.1192.168.2.4
                                                                                                                                        Oct 29, 2024 07:34:39.999366045 CET5339853192.168.2.41.1.1.1
                                                                                                                                        Oct 29, 2024 07:34:40.015850067 CET53533981.1.1.1192.168.2.4
                                                                                                                                        Oct 29, 2024 07:35:00.946914911 CET5105453192.168.2.41.1.1.1
                                                                                                                                        Oct 29, 2024 07:35:00.956190109 CET53510541.1.1.1192.168.2.4
                                                                                                                                        Oct 29, 2024 07:35:21.827333927 CET5210753192.168.2.41.1.1.1
                                                                                                                                        Oct 29, 2024 07:35:21.836689949 CET53521071.1.1.1192.168.2.4
                                                                                                                                        Oct 29, 2024 07:35:42.196604013 CET5781153192.168.2.41.1.1.1
                                                                                                                                        Oct 29, 2024 07:35:42.206157923 CET53578111.1.1.1192.168.2.4
                                                                                                                                        Oct 29, 2024 07:36:25.623719931 CET5384253192.168.2.41.1.1.1
                                                                                                                                        Oct 29, 2024 07:36:25.941529036 CET53538421.1.1.1192.168.2.4
                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                        Oct 29, 2024 07:32:36.905491114 CET192.168.2.41.1.1.10x3dccStandard query (0)www.ysterywarrior932.topA (IP address)IN (0x0001)false
                                                                                                                                        Oct 29, 2024 07:32:56.732836008 CET192.168.2.41.1.1.10xd738Standard query (0)www.mile-hkajwx.xyzA (IP address)IN (0x0001)false
                                                                                                                                        Oct 29, 2024 07:33:16.686333895 CET192.168.2.41.1.1.10xf1f4Standard query (0)www.ood-packing-iasehq19x224.todayA (IP address)IN (0x0001)false
                                                                                                                                        Oct 29, 2024 07:33:37.067966938 CET192.168.2.41.1.1.10xf82Standard query (0)www.wlkflwef3sf2wf.topA (IP address)IN (0x0001)false
                                                                                                                                        Oct 29, 2024 07:33:57.594007969 CET192.168.2.41.1.1.10x573cStandard query (0)www.anceibizamagazine.netA (IP address)IN (0x0001)false
                                                                                                                                        Oct 29, 2024 07:34:18.621787071 CET192.168.2.41.1.1.10x1e85Standard query (0)www.ozezae7.proA (IP address)IN (0x0001)false
                                                                                                                                        Oct 29, 2024 07:34:39.999366045 CET192.168.2.41.1.1.10xf007Standard query (0)www.orty.proA (IP address)IN (0x0001)false
                                                                                                                                        Oct 29, 2024 07:35:00.946914911 CET192.168.2.41.1.1.10x25bcStandard query (0)www.lindsandfurnishings.shopA (IP address)IN (0x0001)false
                                                                                                                                        Oct 29, 2024 07:35:21.827333927 CET192.168.2.41.1.1.10x25e2Standard query (0)www.ysticsmoke.netA (IP address)IN (0x0001)false
                                                                                                                                        Oct 29, 2024 07:35:42.196604013 CET192.168.2.41.1.1.10x4695Standard query (0)www.pigramescentfeatous.shopA (IP address)IN (0x0001)false
                                                                                                                                        Oct 29, 2024 07:36:25.623719931 CET192.168.2.41.1.1.10x6e48Standard query (0)www.f9813.topA (IP address)IN (0x0001)false
                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                        Oct 29, 2024 07:32:36.999651909 CET1.1.1.1192.168.2.40x3dccName error (3)www.ysterywarrior932.topnonenoneA (IP address)IN (0x0001)false
                                                                                                                                        Oct 29, 2024 07:32:56.749761105 CET1.1.1.1192.168.2.40xd738Name error (3)www.mile-hkajwx.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                        Oct 29, 2024 07:33:16.701570988 CET1.1.1.1192.168.2.40xf1f4Name error (3)www.ood-packing-iasehq19x224.todaynonenoneA (IP address)IN (0x0001)false
                                                                                                                                        Oct 29, 2024 07:33:37.383001089 CET1.1.1.1192.168.2.40xf82Name error (3)www.wlkflwef3sf2wf.topnonenoneA (IP address)IN (0x0001)false
                                                                                                                                        Oct 29, 2024 07:33:57.604242086 CET1.1.1.1192.168.2.40x573cName error (3)www.anceibizamagazine.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                        Oct 29, 2024 07:34:18.637233973 CET1.1.1.1192.168.2.40x1e85Name error (3)www.ozezae7.prononenoneA (IP address)IN (0x0001)false
                                                                                                                                        Oct 29, 2024 07:34:40.015850067 CET1.1.1.1192.168.2.40xf007Name error (3)www.orty.prononenoneA (IP address)IN (0x0001)false
                                                                                                                                        Oct 29, 2024 07:35:00.956190109 CET1.1.1.1192.168.2.40x25bcName error (3)www.lindsandfurnishings.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                        Oct 29, 2024 07:35:21.836689949 CET1.1.1.1192.168.2.40x25e2Name error (3)www.ysticsmoke.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                        Oct 29, 2024 07:35:42.206157923 CET1.1.1.1192.168.2.40x4695Name error (3)www.pigramescentfeatous.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                        Oct 29, 2024 07:36:25.941529036 CET1.1.1.1192.168.2.40x6e48Name error (3)www.f9813.topnonenoneA (IP address)IN (0x0001)false

                                                                                                                                        Click to jump to process

                                                                                                                                        Click to jump to process

                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                        Click to jump to process

                                                                                                                                        Target ID:0
                                                                                                                                        Start time:02:31:57
                                                                                                                                        Start date:29/10/2024
                                                                                                                                        Path:C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:"C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe"
                                                                                                                                        Imagebase:0xec0000
                                                                                                                                        File size:666'624 bytes
                                                                                                                                        MD5 hash:1660C33123052F15E4E63891F23DDD1E
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1738168322.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                        Reputation:low
                                                                                                                                        Has exited:true

                                                                                                                                        Target ID:2
                                                                                                                                        Start time:02:31:59
                                                                                                                                        Start date:29/10/2024
                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"
                                                                                                                                        Imagebase:0x7b0000
                                                                                                                                        File size:433'152 bytes
                                                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:true

                                                                                                                                        Target ID:3
                                                                                                                                        Start time:02:31:59
                                                                                                                                        Start date:29/10/2024
                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                        File size:862'208 bytes
                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:true

                                                                                                                                        Target ID:4
                                                                                                                                        Start time:02:31:59
                                                                                                                                        Start date:29/10/2024
                                                                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D16.tmp"
                                                                                                                                        Imagebase:0xc0000
                                                                                                                                        File size:187'904 bytes
                                                                                                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:true

                                                                                                                                        Target ID:5
                                                                                                                                        Start time:02:31:59
                                                                                                                                        Start date:29/10/2024
                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                        File size:862'208 bytes
                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:true

                                                                                                                                        Target ID:6
                                                                                                                                        Start time:02:31:59
                                                                                                                                        Start date:29/10/2024
                                                                                                                                        Path:C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:"C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe"
                                                                                                                                        Imagebase:0x840000
                                                                                                                                        File size:666'624 bytes
                                                                                                                                        MD5 hash:1660C33123052F15E4E63891F23DDD1E
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                        Reputation:low
                                                                                                                                        Has exited:true

                                                                                                                                        Target ID:7
                                                                                                                                        Start time:02:32:00
                                                                                                                                        Start date:29/10/2024
                                                                                                                                        Path:C:\Windows\explorer.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\Explorer.EXE
                                                                                                                                        Imagebase:0x7ff72b770000
                                                                                                                                        File size:5'141'208 bytes
                                                                                                                                        MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                        Has elevated privileges:false
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000007.00000002.4152196445.000000000E839000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:false

                                                                                                                                        Target ID:8
                                                                                                                                        Start time:02:32:01
                                                                                                                                        Start date:29/10/2024
                                                                                                                                        Path:C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe
                                                                                                                                        Imagebase:0xb80000
                                                                                                                                        File size:666'624 bytes
                                                                                                                                        MD5 hash:1660C33123052F15E4E63891F23DDD1E
                                                                                                                                        Has elevated privileges:false
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.1797788735.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                        Antivirus matches:
                                                                                                                                        • Detection: 100%, Avira
                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                        • Detection: 42%, ReversingLabs
                                                                                                                                        Reputation:low
                                                                                                                                        Has exited:true

                                                                                                                                        Target ID:9
                                                                                                                                        Start time:02:32:01
                                                                                                                                        Start date:29/10/2024
                                                                                                                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                        Imagebase:0x7ff693ab0000
                                                                                                                                        File size:496'640 bytes
                                                                                                                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:false

                                                                                                                                        Target ID:10
                                                                                                                                        Start time:02:32:03
                                                                                                                                        Start date:29/10/2024
                                                                                                                                        Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:"C:\Windows\SysWOW64\explorer.exe"
                                                                                                                                        Imagebase:0xb10000
                                                                                                                                        File size:4'514'184 bytes
                                                                                                                                        MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                                                        Has elevated privileges:false
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.4139946616.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.4142442058.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.4142618324.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                        Reputation:moderate
                                                                                                                                        Has exited:false

                                                                                                                                        Target ID:11
                                                                                                                                        Start time:02:32:03
                                                                                                                                        Start date:29/10/2024
                                                                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmlPTospxjGJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9CC5.tmp"
                                                                                                                                        Imagebase:0xc0000
                                                                                                                                        File size:187'904 bytes
                                                                                                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                        Has elevated privileges:false
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:true

                                                                                                                                        Target ID:12
                                                                                                                                        Start time:02:32:03
                                                                                                                                        Start date:29/10/2024
                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                        File size:862'208 bytes
                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                        Has elevated privileges:false
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:true

                                                                                                                                        Target ID:13
                                                                                                                                        Start time:02:32:04
                                                                                                                                        Start date:29/10/2024
                                                                                                                                        Path:C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\hmlPTospxjGJ.exe"
                                                                                                                                        Imagebase:0x6f0000
                                                                                                                                        File size:666'624 bytes
                                                                                                                                        MD5 hash:1660C33123052F15E4E63891F23DDD1E
                                                                                                                                        Has elevated privileges:false
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:low
                                                                                                                                        Has exited:true

                                                                                                                                        Target ID:14
                                                                                                                                        Start time:02:32:04
                                                                                                                                        Start date:29/10/2024
                                                                                                                                        Path:C:\Windows\SysWOW64\mstsc.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:"C:\Windows\SysWOW64\mstsc.exe"
                                                                                                                                        Imagebase:0xb30000
                                                                                                                                        File size:1'264'640 bytes
                                                                                                                                        MD5 hash:EA4A02BE14C405327EEBA8D9AD2BD42C
                                                                                                                                        Has elevated privileges:false
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.1798416868.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                        Reputation:moderate
                                                                                                                                        Has exited:true

                                                                                                                                        Target ID:15
                                                                                                                                        Start time:02:32:06
                                                                                                                                        Start date:29/10/2024
                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:/c del "C:\Users\user\Desktop\z8eokahasflcrscooplasb.exe"
                                                                                                                                        Imagebase:0x240000
                                                                                                                                        File size:236'544 bytes
                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                        Has elevated privileges:false
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Has exited:true

                                                                                                                                        Target ID:16
                                                                                                                                        Start time:02:32:07
                                                                                                                                        Start date:29/10/2024
                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                        File size:862'208 bytes
                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                        Has elevated privileges:false
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Has exited:true

                                                                                                                                        Reset < >

                                                                                                                                          Execution Graph

                                                                                                                                          Execution Coverage:13.5%
                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                          Signature Coverage:2.3%
                                                                                                                                          Total number of Nodes:257
                                                                                                                                          Total number of Limit Nodes:7
                                                                                                                                          execution_graph 63631 94a92d8 63632 94a92fc 63631->63632 63634 94a3be8 63632->63634 63635 94a9c18 OutputDebugStringW 63634->63635 63637 94a9c97 63635->63637 63637->63632 63673 94a8998 63674 94a89aa 63673->63674 63677 94a89c8 63674->63677 63678 94a89d3 63677->63678 63682 94a8a9a 63678->63682 63686 94a8aa8 63678->63686 63679 94a89be 63683 94a8acc 63682->63683 63690 94a3b8c 63683->63690 63687 94a8acc 63686->63687 63688 94a3b8c NtQueryInformationProcess 63687->63688 63689 94a8b53 63688->63689 63689->63679 63691 94a8c08 NtQueryInformationProcess 63690->63691 63693 94a8b53 63691->63693 63693->63679 63614 30bd408 63615 30bd40d 63614->63615 63619 30bd5d9 63615->63619 63623 30bd5e8 63615->63623 63616 30bd53b 63620 30bd5e8 63619->63620 63627 30bbae0 63620->63627 63624 30bd5ed 63623->63624 63625 30bbae0 DuplicateHandle 63624->63625 63626 30bd616 63625->63626 63626->63616 63628 30bd650 DuplicateHandle 63627->63628 63630 30bd616 63628->63630 63630->63616 63694 7f8412b 63695 7f84131 63694->63695 63700 7f868e8 63695->63700 63717 7f8698e 63695->63717 63735 7f868d8 63695->63735 63696 7f8413c 63701 7f86902 63700->63701 63706 7f86926 63701->63706 63752 7f86f0e 63701->63752 63757 7f86ead 63701->63757 63761 7f874ab 63701->63761 63765 7f873ca 63701->63765 63770 7f86f77 63701->63770 63775 7f86dd6 63701->63775 63781 7f87274 63701->63781 63785 7f86d14 63701->63785 63790 7f87712 63701->63790 63794 7f87058 63701->63794 63799 7f86da7 63701->63799 63804 7f87046 63701->63804 63809 7f873a4 63701->63809 63814 7f87101 63701->63814 63706->63696 63718 7f8691c 63717->63718 63719 7f86991 63717->63719 63720 7f87058 2 API calls 63718->63720 63721 7f87712 2 API calls 63718->63721 63722 7f86d14 2 API calls 63718->63722 63723 7f87274 2 API calls 63718->63723 63724 7f86926 63718->63724 63725 7f86dd6 2 API calls 63718->63725 63726 7f86f77 2 API calls 63718->63726 63727 7f873ca 2 API calls 63718->63727 63728 7f874ab 2 API calls 63718->63728 63729 7f86ead 2 API calls 63718->63729 63730 7f86f0e 2 API calls 63718->63730 63731 7f87101 2 API calls 63718->63731 63732 7f873a4 2 API calls 63718->63732 63733 7f87046 2 API calls 63718->63733 63734 7f86da7 2 API calls 63718->63734 63719->63696 63720->63724 63721->63724 63722->63724 63723->63724 63724->63696 63725->63724 63726->63724 63727->63724 63728->63724 63729->63724 63730->63724 63731->63724 63732->63724 63733->63724 63734->63724 63736 7f86902 63735->63736 63737 7f87058 2 API calls 63736->63737 63738 7f87712 2 API calls 63736->63738 63739 7f86d14 2 API calls 63736->63739 63740 7f87274 2 API calls 63736->63740 63741 7f86926 63736->63741 63742 7f86dd6 2 API calls 63736->63742 63743 7f86f77 2 API calls 63736->63743 63744 7f873ca 2 API calls 63736->63744 63745 7f874ab 2 API calls 63736->63745 63746 7f86ead 2 API calls 63736->63746 63747 7f86f0e 2 API calls 63736->63747 63748 7f87101 2 API calls 63736->63748 63749 7f873a4 2 API calls 63736->63749 63750 7f87046 2 API calls 63736->63750 63751 7f86da7 2 API calls 63736->63751 63737->63741 63738->63741 63739->63741 63740->63741 63741->63696 63742->63741 63743->63741 63744->63741 63745->63741 63746->63741 63747->63741 63748->63741 63749->63741 63750->63741 63751->63741 63753 7f86f14 63752->63753 63819 7f87b00 63753->63819 63824 7f87af1 63753->63824 63754 7f875d8 63838 7f83670 63757->63838 63842 7f83669 63757->63842 63758 7f86e9e 63758->63706 63846 7f835a9 63761->63846 63850 7f835b0 63761->63850 63762 7f874c9 63766 7f873d3 63765->63766 63768 7f83669 WriteProcessMemory 63766->63768 63769 7f83670 WriteProcessMemory 63766->63769 63767 7f87814 63768->63767 63769->63767 63771 7f86f7b 63770->63771 63854 7f834d8 63771->63854 63858 7f834d0 63771->63858 63772 7f86f96 63772->63706 63777 7f86dd7 63775->63777 63776 7f86d2e 63776->63706 63777->63776 63862 7f838f8 63777->63862 63866 7f838ec 63777->63866 63870 7f83758 63781->63870 63874 7f83760 63781->63874 63782 7f86f63 63782->63706 63786 7f86d4c 63785->63786 63788 7f838f8 CreateProcessA 63786->63788 63789 7f838ec CreateProcessA 63786->63789 63787 7f86e5b 63788->63787 63789->63787 63792 7f834d8 Wow64SetThreadContext 63790->63792 63793 7f834d0 Wow64SetThreadContext 63790->63793 63791 7f8772c 63792->63791 63793->63791 63795 7f8732f 63794->63795 63797 7f83669 WriteProcessMemory 63795->63797 63798 7f83670 WriteProcessMemory 63795->63798 63796 7f871a1 63796->63706 63797->63796 63798->63796 63800 7f86d42 63799->63800 63802 7f838f8 CreateProcessA 63800->63802 63803 7f838ec CreateProcessA 63800->63803 63801 7f86e5b 63802->63801 63803->63801 63805 7f86f7b 63804->63805 63806 7f86f96 63804->63806 63807 7f834d8 Wow64SetThreadContext 63805->63807 63808 7f834d0 Wow64SetThreadContext 63805->63808 63806->63706 63807->63806 63808->63806 63810 7f873b1 63809->63810 63811 7f875d8 63810->63811 63812 7f87b00 2 API calls 63810->63812 63813 7f87af1 2 API calls 63810->63813 63812->63811 63813->63811 63815 7f8710e 63814->63815 63816 7f86f32 63814->63816 63817 7f87b00 2 API calls 63816->63817 63818 7f87af1 2 API calls 63816->63818 63817->63815 63818->63815 63820 7f87b15 63819->63820 63830 7f83428 63820->63830 63834 7f83420 63820->63834 63821 7f87b28 63821->63754 63825 7f87afa 63824->63825 63826 7f87a7d 63824->63826 63828 7f83428 ResumeThread 63825->63828 63829 7f83420 ResumeThread 63825->63829 63826->63754 63827 7f87b28 63827->63754 63828->63827 63829->63827 63831 7f83468 ResumeThread 63830->63831 63833 7f83499 63831->63833 63833->63821 63835 7f83428 ResumeThread 63834->63835 63837 7f83499 63835->63837 63837->63821 63839 7f836b8 WriteProcessMemory 63838->63839 63841 7f8370f 63839->63841 63841->63758 63843 7f836b8 WriteProcessMemory 63842->63843 63845 7f8370f 63843->63845 63845->63758 63847 7f835f0 VirtualAllocEx 63846->63847 63849 7f8362d 63847->63849 63849->63762 63851 7f835f0 VirtualAllocEx 63850->63851 63853 7f8362d 63851->63853 63853->63762 63855 7f8351d Wow64SetThreadContext 63854->63855 63857 7f83565 63855->63857 63857->63772 63859 7f834d8 Wow64SetThreadContext 63858->63859 63861 7f83565 63859->63861 63861->63772 63863 7f83981 CreateProcessA 63862->63863 63865 7f83b43 63863->63865 63867 7f838f1 CreateProcessA 63866->63867 63869 7f83b43 63867->63869 63871 7f837ab ReadProcessMemory 63870->63871 63873 7f837ef 63871->63873 63873->63782 63875 7f837ab ReadProcessMemory 63874->63875 63877 7f837ef 63875->63877 63877->63782 63878 30b4668 63879 30b4672 63878->63879 63881 30b4758 63878->63881 63882 30b477d 63881->63882 63886 30b4858 63882->63886 63890 30b4868 63882->63890 63888 30b488f 63886->63888 63887 30b496c 63887->63887 63888->63887 63894 30b44d4 63888->63894 63892 30b488f 63890->63892 63891 30b496c 63891->63891 63892->63891 63893 30b44d4 CreateActCtxA 63892->63893 63893->63891 63895 30b58f8 CreateActCtxA 63894->63895 63897 30b59bb 63895->63897 63897->63897 63642 7c7e6f0 63643 7c7e72a 63642->63643 63644 7c7e7a6 63643->63644 63645 7c7e7bb 63643->63645 63650 7c7e100 63644->63650 63647 7c7e100 2 API calls 63645->63647 63649 7c7e7ca 63647->63649 63651 7c7e10b 63650->63651 63652 7c7e7b1 63651->63652 63654 7c7f110 63651->63654 63660 7c7e130 63654->63660 63657 7c7f137 63657->63652 63658 7c7f14f CreateIconFromResourceEx 63659 7c7f1de 63658->63659 63659->63652 63661 7c7f160 CreateIconFromResourceEx 63660->63661 63662 7c7f12a 63661->63662 63662->63657 63662->63658 63663 7f87bc0 63664 7f87bc5 63663->63664 63665 7f87d4b 63664->63665 63668 7f87e38 63664->63668 63671 7f87e40 PostMessageW 63664->63671 63669 7f87e40 PostMessageW 63668->63669 63670 7f87eac 63669->63670 63670->63664 63672 7f87eac 63671->63672 63672->63664 63939 30bac70 63940 30bac7f 63939->63940 63943 30bad58 63939->63943 63948 30bad68 63939->63948 63944 30bad9c 63943->63944 63945 30bad79 63943->63945 63944->63940 63945->63944 63946 30bafa0 GetModuleHandleW 63945->63946 63947 30bafcd 63946->63947 63947->63940 63949 30bad9c 63948->63949 63950 30bad79 63948->63950 63949->63940 63950->63949 63951 30bafa0 GetModuleHandleW 63950->63951 63952 30bafcd 63951->63952 63952->63940 63898 172d01c 63899 172d034 63898->63899 63900 172d08e 63899->63900 63903 57d2818 63899->63903 63908 57d2808 63899->63908 63904 57d281d 63903->63904 63905 57d2877 63904->63905 63913 57d29a0 63904->63913 63918 57d2990 63904->63918 63909 57d2818 63908->63909 63910 57d2877 63909->63910 63911 57d29a0 2 API calls 63909->63911 63912 57d2990 2 API calls 63909->63912 63911->63910 63912->63910 63915 57d29b4 63913->63915 63914 57d2a40 63914->63905 63923 57d2a58 63915->63923 63927 57d2a47 63915->63927 63920 57d29b4 63918->63920 63919 57d2a40 63919->63905 63921 57d2a58 2 API calls 63920->63921 63922 57d2a47 2 API calls 63920->63922 63921->63919 63922->63919 63926 57d2a69 63923->63926 63931 57d3fe8 63923->63931 63935 57d3f54 63923->63935 63926->63914 63928 57d2a69 63927->63928 63929 57d3fe8 CallWindowProcW 63927->63929 63930 57d3f54 CallWindowProcW 63927->63930 63928->63914 63929->63928 63930->63928 63932 57d3fe9 63931->63932 63933 57d40da CallWindowProcW 63932->63933 63934 57d4002 63932->63934 63933->63934 63934->63926 63936 57d3f64 63935->63936 63937 57d40da CallWindowProcW 63936->63937 63938 57d4002 63936->63938 63937->63938 63938->63926 63638 7c71ee8 63639 7c71f36 DrawTextExW 63638->63639 63641 7c71f8e 63639->63641

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 294 57d7438-57d7770 call 57d7214 * 12 call 57d7224 * 3 call 57d7214 * 3 call 57d7234 call 57d7244 * 3 call 57d7254 826 57d7773 call 58cec3c 294->826 827 57d7773 call 58cec48 294->827 393 57d7776-57d790c call 57d7264 call 57d7274 call 57d7284 call 57d7294 415 57d790e-57d7914 393->415 416 57d7924-57d7932 393->416 417 57d7918-57d791a 415->417 418 57d7916 415->418 420 57d97f8-57d9819 416->420 421 57d7938-57d94b0 call 57d7254 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7254 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d72a4 call 57d72b4 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d72a4 call 57d72b4 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d72a4 call 57d72b4 call 57d7254 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7254 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7254 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d72c4 call 57d7264 call 57d7274 call 57d72d4 call 57d7284 call 57d7294 call 57d72e4 call 30beb58 call 57d72f4 * 2 call 57d7304 call 57d72f4 call 57d7304 call 57d7314 call 57d7324 call 57d7334 call 57d7344 416->421 417->416 418->416 822 57d981e call 30b82c8 420->822 823 57d981e call 30b5cb4 420->823 815 57d94b3 call 7c7c428 421->815 816 57d94b3 call 7c7c438 421->816 426 57d9823-57d98e3 call 57d73c4 call 57d73d4 731 57d94b6-57d955e call 57d7344 * 6 820 57d9561 call 7c7c428 731->820 821 57d9561 call 7c7c438 731->821 749 57d9564-57d96ba call 57d7344 * 12 817 57d96bd call 7c7c428 749->817 818 57d96bd call 7c7c438 749->818 785 57d96c0-57d97cc call 57d7354 call 57d7364 call 57d7374 call 57d7384 call 57d7394 call 57d73a4 call 57d7274 call 57d54a0 824 57d97ce call 57dddaf 785->824 825 57d97ce call 57dddc0 785->825 809 57d97d3-57d97e2 call 57d73b4 828 57d97e4 call 57dddaf 809->828 829 57d97e4 call 57dddc0 809->829 812 57d97e9-57d97eb call 57d73b4 814 57d97f0-57d97f7 812->814 815->731 816->731 817->785 818->785 820->749 821->749 822->426 823->426 824->809 825->809 826->393 827->393 828->812 829->812
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740041748.00000000057D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057D0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_57d0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: $ $ $ $ $ $ $ $ $ $ $ $ $ $ $($($-$-$.$7$7$7$7$]$]$]$]$]$]$e$e$e$l$m$m$m$n
                                                                                                                                          • API String ID: 0-3042459311
                                                                                                                                          • Opcode ID: d2dd218af4732ba6fa23697746659e0f93e491521c1e9e2868d476642e5401ff
                                                                                                                                          • Instruction ID: 3e66da4e40fb5a3d2d5fe640e2954bcd4cf056a7baa6beaee74ebff4bf7aff63
                                                                                                                                          • Opcode Fuzzy Hash: d2dd218af4732ba6fa23697746659e0f93e491521c1e9e2868d476642e5401ff
                                                                                                                                          • Instruction Fuzzy Hash: E7332A30A10745CFCB15EF38C898B99B7B2FF89304F508699E4596B360EB71AA85CF51

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 830 57d742a-57d7432 831 57d7439-57d7481 830->831 832 57d7434-57d7437 830->832 836 57d748b-57d748f call 57d7214 831->836 832->831 838 57d7494-57d769d call 57d7214 * 11 call 57d7224 * 3 call 57d7214 * 3 836->838 908 57d76a7-57d76ab call 57d7234 838->908 910 57d76b0-57d76bb 908->910 912 57d76c5-57d76c9 call 57d7244 910->912 914 57d76ce-57d773c call 57d7244 * 2 912->914 927 57d7746-57d7770 call 57d7254 914->927 1363 57d7773 call 58cec3c 927->1363 1364 57d7773 call 58cec48 927->1364 930 57d7776-57d77ab call 57d7264 932 57d77b0-57d7873 call 57d7274 call 57d7284 call 57d7294 930->932 941 57d7878 932->941 942 57d7882 941->942 943 57d788c 942->943 944 57d7894-57d7899 943->944 945 57d78a3-57d78b5 944->945 946 57d78bd-57d78e8 945->946 950 57d78ef-57d7902 946->950 951 57d790a-57d790c 950->951 952 57d790e-57d7914 951->952 953 57d7924-57d7928 951->953 954 57d7918-57d791a 952->954 955 57d7916 952->955 956 57d792e-57d7932 953->956 954->953 955->953 957 57d97f8-57d980a 956->957 958 57d7938-57d9109 call 57d7254 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7254 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d72a4 call 57d72b4 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d72a4 call 57d72b4 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d72a4 call 57d72b4 call 57d7254 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7254 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d7254 call 57d7264 call 57d7274 call 57d7284 call 57d7294 call 57d72c4 956->958 961 57d9810-57d9819 957->961 1220 57d9113-57d911b 958->1220 1359 57d981e call 30b82c8 961->1359 1360 57d981e call 30b5cb4 961->1360 963 57d9823-57d98e3 call 57d73c4 call 57d73d4 1221 57d9123-57d922b call 57d7264 call 57d7274 call 57d72d4 call 57d7284 call 57d7294 1220->1221 1233 57d9230-57d9238 call 57d72e4 1221->1233 1235 57d923d-57d925c 1233->1235 1237 57d9263-57d926d call 30beb58 1235->1237 1238 57d9273-57d949b call 57d72f4 * 2 call 57d7304 call 57d72f4 call 57d7304 call 57d7314 call 57d7324 call 57d7334 call 57d7344 1237->1238 1267 57d94a0-57d94b0 1238->1267 1352 57d94b3 call 7c7c428 1267->1352 1353 57d94b3 call 7c7c438 1267->1353 1268 57d94b6-57d9549 call 57d7344 * 6 1285 57d954e-57d955e 1268->1285 1357 57d9561 call 7c7c428 1285->1357 1358 57d9561 call 7c7c438 1285->1358 1286 57d9564-57d96a5 call 57d7344 * 12 1321 57d96aa-57d96ba 1286->1321 1354 57d96bd call 7c7c428 1321->1354 1355 57d96bd call 7c7c438 1321->1355 1322 57d96c0-57d96c7 call 57d7354 1324 57d96cc-57d97bd call 57d7364 call 57d7374 call 57d7384 call 57d7394 call 57d73a4 call 57d7274 call 57d54a0 1322->1324 1345 57d97c4-57d97cc 1324->1345 1361 57d97ce call 57dddaf 1345->1361 1362 57d97ce call 57dddc0 1345->1362 1346 57d97d3-57d97e2 call 57d73b4 1365 57d97e4 call 57dddaf 1346->1365 1366 57d97e4 call 57dddc0 1346->1366 1349 57d97e9-57d97eb call 57d73b4 1351 57d97f0-57d97f7 1349->1351 1352->1268 1353->1268 1354->1322 1355->1322 1357->1286 1358->1286 1359->963 1360->963 1361->1346 1362->1346 1363->930 1364->930 1365->1349 1366->1349
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740041748.00000000057D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057D0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_57d0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: $ $ $ $ $ $ $ $ $ $ $ $ $ $ $($($-$-$.$7$7$7$7$]$]$]$]$]$]$e$e$e$l$m$m$m$n
                                                                                                                                          • API String ID: 0-3042459311
                                                                                                                                          • Opcode ID: eea1fc57d3ca0b8e0e93982ffdcc0b0748bf83233e1af8c807f6c641b5baeb2d
                                                                                                                                          • Instruction ID: 17f735909b1c1c34ac2ce5739d1a9828fdd332d240b3622beb2c245b27824621
                                                                                                                                          • Opcode Fuzzy Hash: eea1fc57d3ca0b8e0e93982ffdcc0b0748bf83233e1af8c807f6c641b5baeb2d
                                                                                                                                          • Instruction Fuzzy Hash: 4C232A30A10745CFCB15EF34C898B99B7B2FF8A304F518699E4596B360EB71AA85CF41

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 1367 7c7e100-7c7e810 1371 7c7e816-7c7e81b 1367->1371 1372 7c7ecf3-7c7ed5c 1367->1372 1371->1372 1373 7c7e821-7c7e83e 1371->1373 1380 7c7ed63-7c7edeb 1372->1380 1379 7c7e844-7c7e848 1373->1379 1373->1380 1381 7c7e857-7c7e85b 1379->1381 1382 7c7e84a-7c7e854 call 7c7512c 1379->1382 1425 7c7edf6-7c7ee76 1380->1425 1386 7c7e85d-7c7e867 call 7c7512c 1381->1386 1387 7c7e86a-7c7e871 1381->1387 1382->1381 1386->1387 1388 7c7e877-7c7e8a7 1387->1388 1389 7c7e98c-7c7e991 1387->1389 1401 7c7f076-7c7f08e 1388->1401 1402 7c7e8ad-7c7e980 call 7c7b878 * 2 1388->1402 1394 7c7e993-7c7e997 1389->1394 1395 7c7e999-7c7e99e 1389->1395 1394->1395 1397 7c7e9a0-7c7e9a4 1394->1397 1398 7c7e9b0-7c7e9e0 call 7c7e110 * 3 1395->1398 1397->1401 1403 7c7e9aa-7c7e9ad 1397->1403 1398->1425 1426 7c7e9e6-7c7e9e9 1398->1426 1414 7c7f095-7c7f09c 1401->1414 1415 7c7f090-7c7f094 1401->1415 1402->1389 1434 7c7e982 1402->1434 1403->1398 1418 7c7f09e-7c7f0aa 1414->1418 1419 7c7f0ac 1414->1419 1415->1414 1424 7c7f0af-7c7f0b4 1418->1424 1419->1424 1442 7c7ee7d-7c7eeff 1425->1442 1426->1425 1429 7c7e9ef-7c7e9f1 1426->1429 1429->1425 1431 7c7e9f7-7c7ea2c 1429->1431 1441 7c7ea32-7c7ea3b 1431->1441 1431->1442 1434->1389 1443 7c7ea41-7c7ea9b call 7c7e110 * 2 call 7c7e120 * 2 1441->1443 1444 7c7eb9e-7c7eba2 1441->1444 1447 7c7ef07-7c7ef89 1442->1447 1488 7c7eaad 1443->1488 1489 7c7ea9d-7c7eaa6 1443->1489 1444->1447 1448 7c7eba8-7c7ebac 1444->1448 1452 7c7ef91-7c7efbe 1447->1452 1451 7c7ebb2-7c7ebb8 1448->1451 1448->1452 1455 7c7ebbc-7c7ebf1 1451->1455 1456 7c7ebba 1451->1456 1466 7c7efc5-7c7f045 1452->1466 1462 7c7ebf8-7c7ebfe 1455->1462 1456->1462 1462->1466 1467 7c7ec04-7c7ec0c 1462->1467 1523 7c7f04c-7c7f06e 1466->1523 1472 7c7ec13-7c7ec15 1467->1472 1473 7c7ec0e-7c7ec12 1467->1473 1478 7c7ec77-7c7ec7d 1472->1478 1479 7c7ec17-7c7ec3b 1472->1479 1473->1472 1484 7c7ec7f-7c7ec9a 1478->1484 1485 7c7ec9c-7c7ecca 1478->1485 1509 7c7ec44-7c7ec48 1479->1509 1510 7c7ec3d-7c7ec42 1479->1510 1498 7c7ecd2-7c7ecde 1484->1498 1485->1498 1494 7c7eab1-7c7eab3 1488->1494 1489->1494 1497 7c7eaa8-7c7eaab 1489->1497 1501 7c7eab5 1494->1501 1502 7c7eaba-7c7eabe 1494->1502 1497->1494 1522 7c7ece4-7c7ecf0 1498->1522 1498->1523 1501->1502 1507 7c7eac0-7c7eac7 1502->1507 1508 7c7eacc-7c7ead2 1502->1508 1519 7c7eb69-7c7eb6d 1507->1519 1514 7c7ead4-7c7eada 1508->1514 1515 7c7eadc-7c7eae1 1508->1515 1509->1401 1518 7c7ec4e-7c7ec51 1509->1518 1511 7c7ec54-7c7ec67 call 7c7f110 1510->1511 1526 7c7ec6d-7c7ec75 1511->1526 1524 7c7eae7-7c7eaed 1514->1524 1515->1524 1518->1511 1520 7c7eb6f-7c7eb89 1519->1520 1521 7c7eb8c-7c7eb98 1519->1521 1520->1521 1521->1443 1521->1444 1523->1401 1530 7c7eaf3-7c7eaf8 1524->1530 1531 7c7eaef-7c7eaf1 1524->1531 1526->1498 1534 7c7eafa-7c7eb0c 1530->1534 1531->1534 1540 7c7eb16-7c7eb1b 1534->1540 1541 7c7eb0e-7c7eb14 1534->1541 1542 7c7eb21-7c7eb28 1540->1542 1541->1542 1545 7c7eb2e 1542->1545 1546 7c7eb2a-7c7eb2c 1542->1546 1550 7c7eb33-7c7eb3e 1545->1550 1546->1550 1551 7c7eb62 1550->1551 1552 7c7eb40-7c7eb43 1550->1552 1551->1519 1552->1519 1554 7c7eb45-7c7eb4b 1552->1554 1555 7c7eb52-7c7eb5b 1554->1555 1556 7c7eb4d-7c7eb50 1554->1556 1555->1519 1558 7c7eb5d-7c7eb60 1555->1558 1556->1551 1556->1555 1558->1519 1558->1551
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742831588.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7c70000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: Hbq$Hbq$Hbq$Hbq$Hbq
                                                                                                                                          • API String ID: 0-1677660839
                                                                                                                                          • Opcode ID: d5e45af1d3f3a573c4b209b8c2fb62529f35183ba226adf6804020ec8bb98d59
                                                                                                                                          • Instruction ID: a79c1550eb6433cf2e7e17e7ad9f1d59f1565e45941a78f94c4388abac6733bb
                                                                                                                                          • Opcode Fuzzy Hash: d5e45af1d3f3a573c4b209b8c2fb62529f35183ba226adf6804020ec8bb98d59
                                                                                                                                          • Instruction Fuzzy Hash: F9326D71A002188FDB54DFB9C8947AEBBF2BF84300F1485A9D409AB399DF349D85CB95
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742831588.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7c70000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: Hbq
                                                                                                                                          • API String ID: 0-1245868
                                                                                                                                          • Opcode ID: fcddd094f0d91d4c62a2b723861d8241d761ff8e5d489582cb248bba6d9c863e
                                                                                                                                          • Instruction ID: 953239a220f114193b9d9d1266f0c7054822006288fe5d71aaccf8df8836d1f2
                                                                                                                                          • Opcode Fuzzy Hash: fcddd094f0d91d4c62a2b723861d8241d761ff8e5d489582cb248bba6d9c863e
                                                                                                                                          • Instruction Fuzzy Hash: B5D18370A007599FCB14DF78C854AAEBBB6FF89300F14859AE809A7351DF309E42CB91
                                                                                                                                          APIs
                                                                                                                                          • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 094A8C87
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743369032.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_94a0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InformationProcessQuery
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1778838933-0
                                                                                                                                          • Opcode ID: da320197a2b8a9d780689053eafb97f66abafea8ca8b51245b17aba4448f5fea
                                                                                                                                          • Instruction ID: 51c07174fc76e8a6c53e36e46bb7fcd4f496e817294913deb43f4cc221449777
                                                                                                                                          • Opcode Fuzzy Hash: da320197a2b8a9d780689053eafb97f66abafea8ca8b51245b17aba4448f5fea
                                                                                                                                          • Instruction Fuzzy Hash: 993145B5A053489FCB11CFA9D884AEEBFF4FB49310F14845AE458E7261C339A905CFA5
                                                                                                                                          APIs
                                                                                                                                          • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 094A8C87
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743369032.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_94a0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InformationProcessQuery
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1778838933-0
                                                                                                                                          • Opcode ID: 613181aeffbed351750946faf3d08cc0e610f0e80080a5df7674a6d5e85044ee
                                                                                                                                          • Instruction ID: dcd06fd9e014ecff1b973827550a63ba503b37df426cf508407e62f2a17f809a
                                                                                                                                          • Opcode Fuzzy Hash: 613181aeffbed351750946faf3d08cc0e610f0e80080a5df7674a6d5e85044ee
                                                                                                                                          • Instruction Fuzzy Hash: 6721DEB5901258DFCB10DF9AD984ADEBBF4FB48310F10842AE958A7310C379A944CFA4
                                                                                                                                          APIs
                                                                                                                                          • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 094A8C87
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743369032.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_94a0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InformationProcessQuery
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1778838933-0
                                                                                                                                          • Opcode ID: 1fa4ac437639569964478d8bca2ce594bf9624db59254bb76ab6211fff0d441e
                                                                                                                                          • Instruction ID: 47c12f3047e18d6444420b3d1ddb8156b05afe0e974017f895aa816b25ebb73b
                                                                                                                                          • Opcode Fuzzy Hash: 1fa4ac437639569964478d8bca2ce594bf9624db59254bb76ab6211fff0d441e
                                                                                                                                          • Instruction Fuzzy Hash: F621EDB5901258DFCB10DF9AD884ACEBBF4FB48320F10842AE958A7310D379A944CFA5
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743154026.0000000007F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F80000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7f80000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 50736ac9db44f09352ccd6924afcaecc9c9e2ce138efadc623e3342c9eee90a1
                                                                                                                                          • Instruction ID: 042c6f42e9f86909b1e54bda43cf5e21e832699c92f2cb9122aa00151153d321
                                                                                                                                          • Opcode Fuzzy Hash: 50736ac9db44f09352ccd6924afcaecc9c9e2ce138efadc623e3342c9eee90a1
                                                                                                                                          • Instruction Fuzzy Hash: 8A32DDB4B127059FCB58EB68C950BAEB7F6AF89740F5840A9E406DB3A0CB35DD01CB51
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743369032.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_94a0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 51e040136581226c9ac3914c41398a652cb9ef134182802d99021b35e0571d32
                                                                                                                                          • Instruction ID: 1c8da450f5e0e7a55383e35976183dcf3447b58e902c25ee4c1b076fa29a3238
                                                                                                                                          • Opcode Fuzzy Hash: 51e040136581226c9ac3914c41398a652cb9ef134182802d99021b35e0571d32
                                                                                                                                          • Instruction Fuzzy Hash: A6428374E11218CFDB24CFA9C985B9DBBB6FF48301F1582A9E809A7355DB31A981CF50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743369032.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_94a0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c3065934fd5d5f0d775e738463107eb9b28ad0acd1978b6593da85370900b2cd
                                                                                                                                          • Instruction ID: aec54b70b37de9505b2affda572ac7c9760da68a71d1217c202a9bb8b1817f1c
                                                                                                                                          • Opcode Fuzzy Hash: c3065934fd5d5f0d775e738463107eb9b28ad0acd1978b6593da85370900b2cd
                                                                                                                                          • Instruction Fuzzy Hash: 9B32D270A01219CFDB50DFA9C584A8EFBF2BF59311F55D196E408AB212DB30E985CFA4
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742831588.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7c70000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 1ec13240e9b884ad1daa3a39933c7d879149cbed988d343d7e64b5751ad2fdd7
                                                                                                                                          • Instruction ID: 5284c76c9d8a1d8f7733c0d38f2aa07120f63f4bbed40934e357efa3a7a4e758
                                                                                                                                          • Opcode Fuzzy Hash: 1ec13240e9b884ad1daa3a39933c7d879149cbed988d343d7e64b5751ad2fdd7
                                                                                                                                          • Instruction Fuzzy Hash: AFC15BB2E00219CFCF14DFA9C880799BBB2AF89314F14C5AAD849AB255DB30D995CF51
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742831588.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7c70000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 10f194bf188b9567b99c528a4ede5c083bbab55d7ad0dca5897f1fd21ebde046
                                                                                                                                          • Instruction ID: d723975cc0f5e12d6b112ee79ade5bc71eb17ee09aa894f12a99785bc304503f
                                                                                                                                          • Opcode Fuzzy Hash: 10f194bf188b9567b99c528a4ede5c083bbab55d7ad0dca5897f1fd21ebde046
                                                                                                                                          • Instruction Fuzzy Hash: 4FC15AB2E002198FDB14DFA9C88079ABBF2AF89314F14C5A9D849AB255DB30D985CF51
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743154026.0000000007F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F80000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7f80000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0be807166dfdf0f35df491e0cf066fcb4dfe8437099ab5b14fbfe1f3f0a957a9
                                                                                                                                          • Instruction ID: e11e89242fe5204b41a2f0e72a38beebf3bf42fffb8eece87980c8207c581365
                                                                                                                                          • Opcode Fuzzy Hash: 0be807166dfdf0f35df491e0cf066fcb4dfe8437099ab5b14fbfe1f3f0a957a9
                                                                                                                                          • Instruction Fuzzy Hash: 67D09EB5829259CFC744FF94D884AB8B7B8AB0B304F19A055C81DA3311DA30D940DB18

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 1723 58c4670-58c46d2 call 58c3a40 1729 58c4738-58c4764 1723->1729 1730 58c46d4-58c46d6 1723->1730 1732 58c476b-58c4773 1729->1732 1731 58c46dc-58c46e8 1730->1731 1730->1732 1737 58c46ee-58c4729 call 58c4524 1731->1737 1738 58c477a-58c48b5 1731->1738 1732->1738 1748 58c472e-58c4737 1737->1748 1755 58c48bb-58c48c9 1738->1755 1756 58c48cb-58c48d1 1755->1756 1757 58c48d2-58c4918 1755->1757 1756->1757 1762 58c491a-58c491d 1757->1762 1763 58c4925 1757->1763 1762->1763 1764 58c4926 1763->1764 1764->1764
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: Hbq$Hbq
                                                                                                                                          • API String ID: 0-4258043069
                                                                                                                                          • Opcode ID: d68cbc41648f74206ba5c92eef456e111bf3883ec3701b9a52516c0da5d97605
                                                                                                                                          • Instruction ID: 6cb251eff4f7c26d1dd551257ffdcf3997f97296f2d78a32712a8758ccc9a762
                                                                                                                                          • Opcode Fuzzy Hash: d68cbc41648f74206ba5c92eef456e111bf3883ec3701b9a52516c0da5d97605
                                                                                                                                          • Instruction Fuzzy Hash: D5816970E002598FDB04DFA9C8946AEBFF6FF88310F14856AE409EB364DB349945CB91

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 1826 58c0007-58c0012 1827 58c0019-58c0141 1826->1827 1828 58c0014-58c0015 1826->1828 1849 58c0144 call 58c0cd8 1827->1849 1850 58c0144 call 58c0ce8 1827->1850 1828->1827 1834 58c014a-58c0163 1838 58c01c5-58c025d 1834->1838 1839 58c0165-58c01bd 1834->1839 1851 58c0260 call 58c6cd8 1838->1851 1852 58c0260 call 58c6ce8 1838->1852 1839->1838 1843 58c0263-58c02aa 1849->1834 1850->1834 1851->1843 1852->1843
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: $
                                                                                                                                          • API String ID: 0-227171996
                                                                                                                                          • Opcode ID: 8b957bad030957c445a8bde2b991f6d83b1cda00773460d6d9a3bb9b70af015c
                                                                                                                                          • Instruction ID: b8fc2a4bb19b815a2becb470db38715e25a0e4fc8f501940523da9d3f56ef8a8
                                                                                                                                          • Opcode Fuzzy Hash: 8b957bad030957c445a8bde2b991f6d83b1cda00773460d6d9a3bb9b70af015c
                                                                                                                                          • Instruction Fuzzy Hash: A271F330512745CFDB01EF28E894695BBF1FF85310B4586A9DC49AB32AEB35E994CF80

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 1945 58c0040-58c0141 1965 58c0144 call 58c0cd8 1945->1965 1966 58c0144 call 58c0ce8 1945->1966 1950 58c014a-58c0163 1954 58c01c5-58c025d 1950->1954 1955 58c0165-58c01bd 1950->1955 1967 58c0260 call 58c6cd8 1954->1967 1968 58c0260 call 58c6ce8 1954->1968 1955->1954 1959 58c0263-58c02aa 1965->1950 1966->1950 1967->1959 1968->1959
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: $
                                                                                                                                          • API String ID: 0-227171996
                                                                                                                                          • Opcode ID: 1995f4039c850f3c76abcd149cf8c6acda42542b483c33b741b3473c20b3fbf2
                                                                                                                                          • Instruction ID: 39cefb261d02185a36c23c7005cfc348a1e28b84f8872787c39202babf929232
                                                                                                                                          • Opcode Fuzzy Hash: 1995f4039c850f3c76abcd149cf8c6acda42542b483c33b741b3473c20b3fbf2
                                                                                                                                          • Instruction Fuzzy Hash: 9D61E234911705CFDB00EF29E894655BBF1FF89310B4086A9DD49AB31AEB76E994CF80

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 1969 58c4c44-58c54b2 1972 58c54bb-58c54cb 1969->1972 1973 58c54b4-58c558f 1969->1973 1975 58c5596-58c5668 1972->1975 1976 58c54d1-58c54e1 1972->1976 1973->1975 1976->1975 1977 58c54e7-58c54eb 1976->1977 1979 58c54ed 1977->1979 1980 58c54f3-58c5512 1977->1980 1979->1975 1979->1980 1982 58c5539-58c553e 1980->1982 1983 58c5514-58c5534 call 58c4c94 call 58c4638 call 58c4648 1980->1983 1984 58c5547-58c555a call 58c4614 1982->1984 1985 58c5540-58c5542 call 58c4ca4 1982->1985 1983->1982 1995 58c566f-58c568b 1984->1995 1996 58c5560-58c5567 1984->1996 1985->1984
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: (bq$Hbq
                                                                                                                                          • API String ID: 0-4081012451
                                                                                                                                          • Opcode ID: 3bb212ca9db03776f04e67939f0a7ee3478a44da660571c00e7889d9610a86eb
                                                                                                                                          • Instruction ID: 59212419b09cf9958f13c8f8c95715feec9dbdfe1dbb6eab7bb7ee7e02e06f3f
                                                                                                                                          • Opcode Fuzzy Hash: 3bb212ca9db03776f04e67939f0a7ee3478a44da660571c00e7889d9610a86eb
                                                                                                                                          • Instruction Fuzzy Hash: 46418F70B002198FDF14EBACC45567F7EEBEBC4210B2489A9E906E7398CE34DD4587A5
                                                                                                                                          APIs
                                                                                                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07F83B2E
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743154026.0000000007F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F80000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7f80000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CreateProcess
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 963392458-0
                                                                                                                                          • Opcode ID: 169ec8beb2e0d11775c8c2af284f763223fd2370994acf605cc451d2cca9febb
                                                                                                                                          • Instruction ID: 6d0790176a9fd120ad58db531643a6ef808cc54ee4fddebf2afa67d3555270c1
                                                                                                                                          • Opcode Fuzzy Hash: 169ec8beb2e0d11775c8c2af284f763223fd2370994acf605cc451d2cca9febb
                                                                                                                                          • Instruction Fuzzy Hash: 10A17CB1D0025ADFDB10DF68C841BEEBBF2BF48714F1881A9D809A7250DB749985CF92
                                                                                                                                          APIs
                                                                                                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07F83B2E
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743154026.0000000007F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F80000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7f80000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CreateProcess
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 963392458-0
                                                                                                                                          • Opcode ID: c496acdd6e12dc1c482b059cc9ba78bb7cfd02c79598f19bca04631d18b229fe
                                                                                                                                          • Instruction ID: bc1ae4443dffa09045ccef7ef81a8b739ced7491579e2713f6970c742e1a4383
                                                                                                                                          • Opcode Fuzzy Hash: c496acdd6e12dc1c482b059cc9ba78bb7cfd02c79598f19bca04631d18b229fe
                                                                                                                                          • Instruction Fuzzy Hash: 3C917CB1D0025ADFDB10DF68C841BDEBBF2BF48714F1881A9D809A7250DB749985CF92
                                                                                                                                          APIs
                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 030BAFBE
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1736676122.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_30b0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: HandleModule
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4139908857-0
                                                                                                                                          • Opcode ID: 6041485b167dbdbe48031039bb65ac52a95583ff09d4c875db9599ba9a81fd37
                                                                                                                                          • Instruction ID: cc9b89d0bff318af2fd4969d458ebce731a2000fcd9a49421e0160a4a924c424
                                                                                                                                          • Opcode Fuzzy Hash: 6041485b167dbdbe48031039bb65ac52a95583ff09d4c875db9599ba9a81fd37
                                                                                                                                          • Instruction Fuzzy Hash: AB714370A01B058FD764DF2AD04479ABBF6FF88300F048A2EE49AD7A50DB75E945CB90
                                                                                                                                          APIs
                                                                                                                                          • CreateActCtxA.KERNEL32(?), ref: 030B59A9
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1736676122.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_30b0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Create
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2289755597-0
                                                                                                                                          • Opcode ID: 4c99142f7a4d8019bbf0c9f0e374bdf1aa2f705882e84c575dae8f34bd8d7a51
                                                                                                                                          • Instruction ID: 68608234e1370f8ed072ac25e66888a5d6c5629f6a6b0aed0a5484dc40e63bd2
                                                                                                                                          • Opcode Fuzzy Hash: 4c99142f7a4d8019bbf0c9f0e374bdf1aa2f705882e84c575dae8f34bd8d7a51
                                                                                                                                          • Instruction Fuzzy Hash: 4541C0B0C00719CEDB24DFA9C884ADDBBF6BF49304F2480AAD408BB255DB756945CF90
                                                                                                                                          APIs
                                                                                                                                          • CreateActCtxA.KERNEL32(?), ref: 030B59A9
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1736676122.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_30b0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Create
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2289755597-0
                                                                                                                                          • Opcode ID: e828c53617c0486712e8fd4efd3647e009398df0525773e2c1e7738206b8efc0
                                                                                                                                          • Instruction ID: e17b0343422d90a669397e74385fbd706b2bccb0f2f6adf3f66ad3ab60973954
                                                                                                                                          • Opcode Fuzzy Hash: e828c53617c0486712e8fd4efd3647e009398df0525773e2c1e7738206b8efc0
                                                                                                                                          • Instruction Fuzzy Hash: E741BEB0C00719CBDB24DFA9C984ADEBBF5BF49304F2480AAD408AB255DB756946CF90
                                                                                                                                          APIs
                                                                                                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 057D4101
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740041748.00000000057D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057D0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_57d0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CallProcWindow
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2714655100-0
                                                                                                                                          • Opcode ID: 0a4d5ff345edd0e9bc869db3c71a1b0bdb94ec618cb3d01078b2e35cc529c744
                                                                                                                                          • Instruction ID: 038f8f252832043cf3bbcb4f58bcf3a0375d6e4cf6f8d4eca9d81ebca904c426
                                                                                                                                          • Opcode Fuzzy Hash: 0a4d5ff345edd0e9bc869db3c71a1b0bdb94ec618cb3d01078b2e35cc529c744
                                                                                                                                          • Instruction Fuzzy Hash: 384129B8900305CFCB14CF99C448AAAFBF6FB98314F24C459D519AB321D775A845CFA0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742831588.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7c70000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CreateFromIconResource
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3668623891-0
                                                                                                                                          • Opcode ID: 99b0fe29a8ebbd7a61c0d4e84de3be655c133c6f5f75ab4fb79eff3d1943e8f3
                                                                                                                                          • Instruction ID: 642dea4fafaf092c8d2ca1f851e79b90b0570a94142948fad7fff5622ba3224d
                                                                                                                                          • Opcode Fuzzy Hash: 99b0fe29a8ebbd7a61c0d4e84de3be655c133c6f5f75ab4fb79eff3d1943e8f3
                                                                                                                                          • Instruction Fuzzy Hash: E831ABB29003599FCB01CFA9C840ADEBFF8EF09320F14806AE954A7221C3359951CFA1
                                                                                                                                          APIs
                                                                                                                                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 07C71F7F
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742831588.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7c70000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DrawText
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2175133113-0
                                                                                                                                          • Opcode ID: 26f6b25a73d4e9a15cec42ceb22945b0c0c4c3f864c696350ee3a15a085e91c2
                                                                                                                                          • Instruction ID: 27dee2131dfbe5e60d5b3d0ce480cb845cc8220b4b7d9b3416e32f5636a24f7a
                                                                                                                                          • Opcode Fuzzy Hash: 26f6b25a73d4e9a15cec42ceb22945b0c0c4c3f864c696350ee3a15a085e91c2
                                                                                                                                          • Instruction Fuzzy Hash: 4331C0B5D002499FDB10CF9AD884ADEBBF5BB48320F18842AE919A7210D774A944CFA4
                                                                                                                                          APIs
                                                                                                                                          • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07F83700
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743154026.0000000007F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F80000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7f80000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: MemoryProcessWrite
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3559483778-0
                                                                                                                                          • Opcode ID: abed083193395eda0ab9085c9a87e151c7954412d664281956e12c794b63fa23
                                                                                                                                          • Instruction ID: b05986edbc9a3075bbe62896f5fb3f21eff3978c40b70391ec4a876a26a71b99
                                                                                                                                          • Opcode Fuzzy Hash: abed083193395eda0ab9085c9a87e151c7954412d664281956e12c794b63fa23
                                                                                                                                          • Instruction Fuzzy Hash: C12155B6D0035A9FCB10DFA9C881BDEBBF0FF48310F10882AE958A7250C7789550CBA0
                                                                                                                                          APIs
                                                                                                                                          • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07F83700
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743154026.0000000007F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F80000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7f80000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: MemoryProcessWrite
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3559483778-0
                                                                                                                                          • Opcode ID: 925b36e900244f2063990e3330066a8e8e709212ba2bd435edf059002d87e196
                                                                                                                                          • Instruction ID: 21a8b4d9671aa6c2b4a39032a7744435dbb53e8cc403d6c333112b167a127629
                                                                                                                                          • Opcode Fuzzy Hash: 925b36e900244f2063990e3330066a8e8e709212ba2bd435edf059002d87e196
                                                                                                                                          • Instruction Fuzzy Hash: D42127B2D003599FCB10DFA9C885BDEBBF5FF48310F148429E958A7250C7789944CBA4
                                                                                                                                          APIs
                                                                                                                                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 07C71F7F
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742831588.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7c70000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DrawText
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2175133113-0
                                                                                                                                          • Opcode ID: 2777ef29be004dc5e07437ef345fdc4330d43cda660ce8eb9c9cb44dff14b37c
                                                                                                                                          • Instruction ID: db2481518f50f17e0173fe3a88e16c253b2c9adae1268b1b990891bc54ec386e
                                                                                                                                          • Opcode Fuzzy Hash: 2777ef29be004dc5e07437ef345fdc4330d43cda660ce8eb9c9cb44dff14b37c
                                                                                                                                          • Instruction Fuzzy Hash: DB21CEB5D002499FDB10CF9AD884A9EFBF5FB48320F18842AE919A7210D774A944CFA0
                                                                                                                                          APIs
                                                                                                                                          • OutputDebugStringW.KERNELBASE(00000000), ref: 094A9C88
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743369032.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_94a0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DebugOutputString
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1166629820-0
                                                                                                                                          • Opcode ID: a587b80bc0ed8605f7f848d0f53c200a8d0a5a4dbe27bc4d755d29ce5b46d46e
                                                                                                                                          • Instruction ID: 0e46f34b8093d0e182782aa35b5169a113f01178e13ed025d81f5e3a17458087
                                                                                                                                          • Opcode Fuzzy Hash: a587b80bc0ed8605f7f848d0f53c200a8d0a5a4dbe27bc4d755d29ce5b46d46e
                                                                                                                                          • Instruction Fuzzy Hash: 5B2123B1D006599BCB14DFAAD544BDEFBF4FB49320F10816AE818A7750D778AA40CFA1
                                                                                                                                          APIs
                                                                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07F83556
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743154026.0000000007F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F80000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7f80000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ContextThreadWow64
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 983334009-0
                                                                                                                                          • Opcode ID: 70bcb41b22629c513a523c41c2e8191f9a859400843ef10fad7f9c8bdf46e2f3
                                                                                                                                          • Instruction ID: 78dc332351a6b97762934f95ae78fbb424775b2eaa30df5cbb5cf0d3e762c7a3
                                                                                                                                          • Opcode Fuzzy Hash: 70bcb41b22629c513a523c41c2e8191f9a859400843ef10fad7f9c8bdf46e2f3
                                                                                                                                          • Instruction Fuzzy Hash: 0C2159B1D002099FDB10DFAAC4857EEBFF4AF48320F148429D459A7250CB78A585CFA5
                                                                                                                                          APIs
                                                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,030BD616,?,?,?,?,?), ref: 030BD6D7
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1736676122.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_30b0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DuplicateHandle
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3793708945-0
                                                                                                                                          • Opcode ID: 0667350578e96ceaa27f1dbcecf8d551c093164b1d85b711300b39433549ae50
                                                                                                                                          • Instruction ID: c6fd3ef91c07e5a46adb42a81c199b296a9e0d690e1704cd12ecd20a9f1c9fe1
                                                                                                                                          • Opcode Fuzzy Hash: 0667350578e96ceaa27f1dbcecf8d551c093164b1d85b711300b39433549ae50
                                                                                                                                          • Instruction Fuzzy Hash: 8421E4B5D01258DFDB10DFAAD584ADEFBF4EB48310F14842AE958A7310D374A940CFA4
                                                                                                                                          APIs
                                                                                                                                          • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07F837E0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743154026.0000000007F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F80000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7f80000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: MemoryProcessRead
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1726664587-0
                                                                                                                                          • Opcode ID: e4f904e046de2041f123773d289bad4f5442d6b4824605cd4cd65cca35b36757
                                                                                                                                          • Instruction ID: e6fce84527fffcf87df2cf9e84459a4bded5df909e885afa8b8081e9b05af87e
                                                                                                                                          • Opcode Fuzzy Hash: e4f904e046de2041f123773d289bad4f5442d6b4824605cd4cd65cca35b36757
                                                                                                                                          • Instruction Fuzzy Hash: EB2127B1C0035A9FCB10DFA9C981BDEBBF5BF48310F108429E559A7250C7389550CBA4
                                                                                                                                          APIs
                                                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,030BD616,?,?,?,?,?), ref: 030BD6D7
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1736676122.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_30b0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DuplicateHandle
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3793708945-0
                                                                                                                                          • Opcode ID: 08ead42830789f0ff1c848809038f3fb17461750d6c0938a6b7bc628a099c41b
                                                                                                                                          • Instruction ID: d038e73d9fe1fbdd1fc071b09956eb60461f5fedab4ea285389d7d9df9803dd9
                                                                                                                                          • Opcode Fuzzy Hash: 08ead42830789f0ff1c848809038f3fb17461750d6c0938a6b7bc628a099c41b
                                                                                                                                          • Instruction Fuzzy Hash: 9221E3B5D01258AFDB10DF9AD984ADEFBF9EB48314F14801AE958A7310D378A940CFA5
                                                                                                                                          APIs
                                                                                                                                          • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07F837E0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743154026.0000000007F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F80000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7f80000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: MemoryProcessRead
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1726664587-0
                                                                                                                                          • Opcode ID: f69daf90e97fd737de5815e2b0b382642762de203ca6a5149c8b76ae18d45503
                                                                                                                                          • Instruction ID: b1593d226be34bc03c5357550fbbb443d205bbb993195df31459b51ade99781a
                                                                                                                                          • Opcode Fuzzy Hash: f69daf90e97fd737de5815e2b0b382642762de203ca6a5149c8b76ae18d45503
                                                                                                                                          • Instruction Fuzzy Hash: 1F2128B1C002599FCB10DFAAC881ADEFBF5FF48310F108429E558A7250C7789544CBA4
                                                                                                                                          APIs
                                                                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07F83556
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743154026.0000000007F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F80000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7f80000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ContextThreadWow64
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 983334009-0
                                                                                                                                          • Opcode ID: 66bd44bf918447a360edaad921e5004f5ed16447cebc770203568cac33b1925a
                                                                                                                                          • Instruction ID: 6a7faf6fae12bf331e85527b8c294a9509c3bcb2bf2b096e9c69fc07a0a1cfd5
                                                                                                                                          • Opcode Fuzzy Hash: 66bd44bf918447a360edaad921e5004f5ed16447cebc770203568cac33b1925a
                                                                                                                                          • Instruction Fuzzy Hash: 1B2138B1D002198FDB10DFAAC4857EEBFF4EF48324F148429D459A7250C778A945CFA4
                                                                                                                                          APIs
                                                                                                                                          • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,07C7F12A,?,?,?,?,?), ref: 07C7F1CF
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742831588.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7c70000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CreateFromIconResource
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3668623891-0
                                                                                                                                          • Opcode ID: 002b773bf89f49e7598b5901f0fb4a6bd9db7cbdb9a832bb10a3e65ea99389a7
                                                                                                                                          • Instruction ID: 4a4969cf31a81446280022f8d40952ab717c68ebecdf82d2e6ead118110efde3
                                                                                                                                          • Opcode Fuzzy Hash: 002b773bf89f49e7598b5901f0fb4a6bd9db7cbdb9a832bb10a3e65ea99389a7
                                                                                                                                          • Instruction Fuzzy Hash: 851137B590025D9FDB10DFAAC884BEEBFF8EB48320F14841AE954A7210C775A954CFA4
                                                                                                                                          APIs
                                                                                                                                          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07F8361E
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743154026.0000000007F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F80000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7f80000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4275171209-0
                                                                                                                                          • Opcode ID: 1229016f82f48432a6e5c7f4886e9430ce2258aa31b8b7ba16ce4eef9090c1ac
                                                                                                                                          • Instruction ID: e2950adf7397f20b873b94f0a6308f5e093e6c4c2e65be0d25e277019204ac2b
                                                                                                                                          • Opcode Fuzzy Hash: 1229016f82f48432a6e5c7f4886e9430ce2258aa31b8b7ba16ce4eef9090c1ac
                                                                                                                                          • Instruction Fuzzy Hash: 681147B1C04249CFDB10DFA9C944BDEBFF5AF88314F248419D559A7260C7799540CFA0
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743154026.0000000007F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F80000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7f80000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ResumeThread
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 947044025-0
                                                                                                                                          • Opcode ID: 6885bd6f396954adc5c679b90ff7a83138eea6dd19cad7ed20c95b9c3dc063f1
                                                                                                                                          • Instruction ID: eae9bc9640ed54960acb18460897c7b422172a74328230de0f41915b1e39df14
                                                                                                                                          • Opcode Fuzzy Hash: 6885bd6f396954adc5c679b90ff7a83138eea6dd19cad7ed20c95b9c3dc063f1
                                                                                                                                          • Instruction Fuzzy Hash: F81149B19042498FDB10DFAAC4457EEFFF4AF88324F248419D459A7250CB74A944CBA5
                                                                                                                                          APIs
                                                                                                                                          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07F8361E
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743154026.0000000007F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F80000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7f80000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4275171209-0
                                                                                                                                          • Opcode ID: ef0054cbd84c9230d4842385df66c7b1ae473ba076f399ac63d85bc85b4c2b0e
                                                                                                                                          • Instruction ID: 5a5f6ae54bae6137566fc47e90724810a0a4d958b25795aa2b7b1e2d57b7a2da
                                                                                                                                          • Opcode Fuzzy Hash: ef0054cbd84c9230d4842385df66c7b1ae473ba076f399ac63d85bc85b4c2b0e
                                                                                                                                          • Instruction Fuzzy Hash: BF1126B29002499FCB10DFAAC844BDEFBF5EF88324F148419E559A7260C775A544CFA4
                                                                                                                                          APIs
                                                                                                                                          • OutputDebugStringW.KERNELBASE(00000000), ref: 094A9C88
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743369032.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_94a0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DebugOutputString
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1166629820-0
                                                                                                                                          • Opcode ID: 7127d2655fcbdbe3e3c3207c5528eb7f1d247eae72c4637ea0c89eb3afc98a40
                                                                                                                                          • Instruction ID: d89c868c1b1b34dab8b52e5f4604872b3db1448689e34024b50d4cc60226857b
                                                                                                                                          • Opcode Fuzzy Hash: 7127d2655fcbdbe3e3c3207c5528eb7f1d247eae72c4637ea0c89eb3afc98a40
                                                                                                                                          • Instruction Fuzzy Hash: B11100B1C04A599BCB14DF9AD544A9EFBF4EB48720F10812AE918A7340C378A944CFE5
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743154026.0000000007F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F80000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7f80000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ResumeThread
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 947044025-0
                                                                                                                                          • Opcode ID: d87c06250a0afdd1ea8a5c4755bae885e1066c66b56ea37f183a4037a485c145
                                                                                                                                          • Instruction ID: 446e1051fc28522ade2fe7bc08dafe2fd14159388d81e580c065f2c21703524f
                                                                                                                                          • Opcode Fuzzy Hash: d87c06250a0afdd1ea8a5c4755bae885e1066c66b56ea37f183a4037a485c145
                                                                                                                                          • Instruction Fuzzy Hash: BE1166B1D002488FCB20DFAAC8457DEFBF4EF88324F248429C459A7250CB78A944CFA4
                                                                                                                                          APIs
                                                                                                                                          • PostMessageW.USER32(?,?,?,?), ref: 07F87E9D
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743154026.0000000007F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F80000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7f80000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: MessagePost
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 410705778-0
                                                                                                                                          • Opcode ID: 64255918cb245461699a175229507aa0c891e0fae30f42957a148d1ad7667602
                                                                                                                                          • Instruction ID: df03a7de185411c96fd484fd554270dc16ba791f51f37c6b10c303f240bf2493
                                                                                                                                          • Opcode Fuzzy Hash: 64255918cb245461699a175229507aa0c891e0fae30f42957a148d1ad7667602
                                                                                                                                          • Instruction Fuzzy Hash: 981125B68003499FDB10DF99D945BDEFFF8EB48320F24841AD958A3250C374A980CFA1
                                                                                                                                          APIs
                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 030BAFBE
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1736676122.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_30b0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: HandleModule
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4139908857-0
                                                                                                                                          • Opcode ID: 23dcddbe321f1d712526b4c943a13adaf7c622e72dfca34b75fbc2a805291c6d
                                                                                                                                          • Instruction ID: 5fdd958d4612be4eff55b19d1773cfd56112ba20659ee1d7d47b4f8715c46556
                                                                                                                                          • Opcode Fuzzy Hash: 23dcddbe321f1d712526b4c943a13adaf7c622e72dfca34b75fbc2a805291c6d
                                                                                                                                          • Instruction Fuzzy Hash: 4E111DB6D002498FCB10CF9AD444ADEFBF4EF88324F14842AD868A7610C379A545CFA1
                                                                                                                                          APIs
                                                                                                                                          • PostMessageW.USER32(?,?,?,?), ref: 07F87E9D
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743154026.0000000007F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F80000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7f80000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: MessagePost
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 410705778-0
                                                                                                                                          • Opcode ID: 9bed1b90e4a85b89605920c40c358337e2a345f372ec7b5652f08fd7f52fee06
                                                                                                                                          • Instruction ID: 0f0e1ac79c1e1d543360ed08ae070ce05e56e03dd2cf1b340c8e56684247fad3
                                                                                                                                          • Opcode Fuzzy Hash: 9bed1b90e4a85b89605920c40c358337e2a345f372ec7b5652f08fd7f52fee06
                                                                                                                                          • Instruction Fuzzy Hash: 041103B58003499FDB10DF9AD585BDEBBF8EB48320F20841AD558A7210C375A944CFA1
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: (bq
                                                                                                                                          • API String ID: 0-149360118
                                                                                                                                          • Opcode ID: 13db63b669b38ebfe56435c0fc368c34fbac22b3616a7494a99b00d7bceee371
                                                                                                                                          • Instruction ID: f07814be88a59146049912eb73f9b3858cf7b6c345fe81655982d77504db7ea0
                                                                                                                                          • Opcode Fuzzy Hash: 13db63b669b38ebfe56435c0fc368c34fbac22b3616a7494a99b00d7bceee371
                                                                                                                                          • Instruction Fuzzy Hash: 5891AC71A11208DFDB14DFA9D4586AEBFF6EF88310F1084A9E855E7750DB30A841CBA1
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: (bq
                                                                                                                                          • API String ID: 0-149360118
                                                                                                                                          • Opcode ID: 48460fc8e0bd0a8a9d579bafadcf430876f9e14d5b205e948d70739d9f23573e
                                                                                                                                          • Instruction ID: c07e01d62d3a290eca51ebd859a2bb42c89faa555d6bd077d2f0c1889313b9e1
                                                                                                                                          • Opcode Fuzzy Hash: 48460fc8e0bd0a8a9d579bafadcf430876f9e14d5b205e948d70739d9f23573e
                                                                                                                                          • Instruction Fuzzy Hash: 7741AF397096A08FCB19B77C941812E6AE7BFC565071445BDD806CB394EF34CD0287D6
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: Hbq
                                                                                                                                          • API String ID: 0-1245868
                                                                                                                                          • Opcode ID: cfa152e29daf07c40bcd0bfdca3d71a6f3e68083e45bb39fd91f7db768fbf1af
                                                                                                                                          • Instruction ID: c92b59aaf3e54f0c5e99eff91832514d9ce00f09b9f2b40f1e0ebadd6f7f54ed
                                                                                                                                          • Opcode Fuzzy Hash: cfa152e29daf07c40bcd0bfdca3d71a6f3e68083e45bb39fd91f7db768fbf1af
                                                                                                                                          • Instruction Fuzzy Hash: E0412A75A002089FCB14DFA9C444AAEBBF5EF88310F10886DE849E7755DB35E945CBA1
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: &Dn
                                                                                                                                          • API String ID: 0-4254999838
                                                                                                                                          • Opcode ID: 3502a6057250db46409ae7f4fc12a761443822dc8c0fdbc2b8d699d7ff9fdd55
                                                                                                                                          • Instruction ID: c41c841423c8fc11694b0bc980906c80520e358267374263010977ef25800eba
                                                                                                                                          • Opcode Fuzzy Hash: 3502a6057250db46409ae7f4fc12a761443822dc8c0fdbc2b8d699d7ff9fdd55
                                                                                                                                          • Instruction Fuzzy Hash: 4141D2B1D00209DBDB14DF99C584ADEFFF5BF48305F24856AD809AB210D775AA86CF90
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: &Dn
                                                                                                                                          • API String ID: 0-4254999838
                                                                                                                                          • Opcode ID: 9579d0330f18ddd0b09f14271acb2de4e5f0343213b6cde623efed9775dc8c86
                                                                                                                                          • Instruction ID: e0154c60746d8211fb6bacf603dc5138c4197a6d9fb3d23b59e09a5519f7a56b
                                                                                                                                          • Opcode Fuzzy Hash: 9579d0330f18ddd0b09f14271acb2de4e5f0343213b6cde623efed9775dc8c86
                                                                                                                                          • Instruction Fuzzy Hash: 3941D2B1D01209CFDB14CFA9C594ADEFFB5BF48304F24856AD809AB214D7756A86CF90
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: &Dn
                                                                                                                                          • API String ID: 0-4254999838
                                                                                                                                          • Opcode ID: 8324b33c857d3f32db5e7b9065d1ac5aa2c8e080de87e240c1b06c51a0e5cccc
                                                                                                                                          • Instruction ID: 1dd76bde699071a02cb4d28c29eb40b52602feb8af62159264f6c092e50b14a5
                                                                                                                                          • Opcode Fuzzy Hash: 8324b33c857d3f32db5e7b9065d1ac5aa2c8e080de87e240c1b06c51a0e5cccc
                                                                                                                                          • Instruction Fuzzy Hash: 2E31D6767002048FCB10DB7CC4585AFBBE6EF8421471585A9D60ADB351EF70EC0A8B91
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: &Dn
                                                                                                                                          • API String ID: 0-4254999838
                                                                                                                                          • Opcode ID: dea0351f5661b329169fe25ca79135c92f39c308d1f54f402fa16abf084b72c3
                                                                                                                                          • Instruction ID: 252883d3dc0d37062529cfc2a554fb92b1e097ec4bf72b64dbe7f280826a8a26
                                                                                                                                          • Opcode Fuzzy Hash: dea0351f5661b329169fe25ca79135c92f39c308d1f54f402fa16abf084b72c3
                                                                                                                                          • Instruction Fuzzy Hash: F821DB757002054FCB14DB69C4549BFBBF6EFC0325B1089A9DA15DB364EB70ED088B91
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 95162c14fa0e3f4d23837a0bd23faf49d5072a491f861317a0f386130b42ab9b
                                                                                                                                          • Instruction ID: 2beaaf17e37aa79b6dd49cd75e1721688b3983a54d8577fc6905c805ea5851e5
                                                                                                                                          • Opcode Fuzzy Hash: 95162c14fa0e3f4d23837a0bd23faf49d5072a491f861317a0f386130b42ab9b
                                                                                                                                          • Instruction Fuzzy Hash: 03723D31911609CFCB14EF68C8996ADBBB1FF45305F408299D949AB265EF30AEC5CF81
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: bb58261457085ee05ace562d346d564a4249ab7bc2950062b2b6253f2f39e6d0
                                                                                                                                          • Instruction ID: 0dc78f7c90605412ee1ef3cf75f5f0c678f1db0acf740bca871103bc7dfc904d
                                                                                                                                          • Opcode Fuzzy Hash: bb58261457085ee05ace562d346d564a4249ab7bc2950062b2b6253f2f39e6d0
                                                                                                                                          • Instruction Fuzzy Hash: 1442B631E106198BCB15DF68C894AEDB7B1FF89304F118699D859BB251EB70EE85CF40
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 75781b1cad278760a069f800bdada971b0efabdeff0c0569d73dbb8e37630be6
                                                                                                                                          • Instruction ID: cc24a4904494b7e4e411785838c6e77f1fb6da5da5763d79d464af2ace5d191a
                                                                                                                                          • Opcode Fuzzy Hash: 75781b1cad278760a069f800bdada971b0efabdeff0c0569d73dbb8e37630be6
                                                                                                                                          • Instruction Fuzzy Hash: 07220934A10215CFCB14DF68C898AACBBB2FF88304F5485A8D81AEB365DB31ED45CB50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6d1eb4f1fbde3feb96299e6aada0633070bd56c0926b0f01b96a101ba46697e6
                                                                                                                                          • Instruction ID: c065ae50326d5726237251ad0ba9f46b35a66d23c2c77ebb0e616132c96cdc98
                                                                                                                                          • Opcode Fuzzy Hash: 6d1eb4f1fbde3feb96299e6aada0633070bd56c0926b0f01b96a101ba46697e6
                                                                                                                                          • Instruction Fuzzy Hash: 14122D319016198FDB14EF28C8946E9BBF1FF45305F408299D94AAB255EF30AED5CF81
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 81a4e394e9200604e75835fe06ad594bc2b278eba68521e1bc01ae621825e489
                                                                                                                                          • Instruction ID: 3817c4a6ac5b9dcfbc17e89e3b9496e06fd4f02af13df6d1c6c4fc92d1b40cc5
                                                                                                                                          • Opcode Fuzzy Hash: 81a4e394e9200604e75835fe06ad594bc2b278eba68521e1bc01ae621825e489
                                                                                                                                          • Instruction Fuzzy Hash: 19E1C931E106198FCB25DF68C894AEDBBB2FF49304F158699D859AB251EB30ED85CF40
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 66064ca1f94ffd4d05a52cb36c29d42e4b5868c3df57df6f8522c2391ad5cbf8
                                                                                                                                          • Instruction ID: 9753aa2215ac6c07c672f712ad8753c39d42407f02a2e0bd9cf0195c067d6df0
                                                                                                                                          • Opcode Fuzzy Hash: 66064ca1f94ffd4d05a52cb36c29d42e4b5868c3df57df6f8522c2391ad5cbf8
                                                                                                                                          • Instruction Fuzzy Hash: 7291E57591061ACFCB41DFA8C880999FBF5FF49310B14879AE819EB255EB70E985CF80
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f6627371b63dfd7df7fee6af8497c05c7460021a825c9baeb778e2d5583786c1
                                                                                                                                          • Instruction ID: 522c4c308c6e1533a637b3dc071c805b6dbba5a6af3b007d50ea275c34a9791e
                                                                                                                                          • Opcode Fuzzy Hash: f6627371b63dfd7df7fee6af8497c05c7460021a825c9baeb778e2d5583786c1
                                                                                                                                          • Instruction Fuzzy Hash: FE71BB79600A008FC718DF29C498959BBF2FF89314B158AA9E54ACB772DB72EC41CF50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: efa75d1eb76545caf6e1a1dd1bb806b0392302dd857b97f4b22b24903dadb2da
                                                                                                                                          • Instruction ID: 0508ce9906dc5cd46fbaa6765f24f0a20e16c1990acce8fe55f622b1c5b441a6
                                                                                                                                          • Opcode Fuzzy Hash: efa75d1eb76545caf6e1a1dd1bb806b0392302dd857b97f4b22b24903dadb2da
                                                                                                                                          • Instruction Fuzzy Hash: 5C614C306106008FCB14DF29C898BA9BBB2BF85314F5485BCD95ADB3A5DB71DC498B61
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3a9ff468dbd5783f67cf0e77366e92641aa31670193fe36ed0323e5c882c8a5b
                                                                                                                                          • Instruction ID: 98efea4e6fa41ad5abdf9dfaf587a093bdf6d5198e58bf82d6bacdad867b5128
                                                                                                                                          • Opcode Fuzzy Hash: 3a9ff468dbd5783f67cf0e77366e92641aa31670193fe36ed0323e5c882c8a5b
                                                                                                                                          • Instruction Fuzzy Hash: 5C719074A0020A8FCB44CF69D5849A9FBF1BF49314B5986A9E90ADB312D734ED85CF90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 06512f7cc3a4ea21253102b3df853c63e6531bdafc92f3ba5b2c740fb224839e
                                                                                                                                          • Instruction ID: 021dbddd0e758ab8ae97652f1e910a44a4ca72f8d3dbd913427a3c5e2f93adc4
                                                                                                                                          • Opcode Fuzzy Hash: 06512f7cc3a4ea21253102b3df853c63e6531bdafc92f3ba5b2c740fb224839e
                                                                                                                                          • Instruction Fuzzy Hash: DD518D707003049FCB15EB28C594BAABBFABF89604F1445ADE90ADB3A0DB75EC41CB51
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d3d389263d37c7e05f9313f01c1831456a479eb2c207f2010d07ddadb4be6ff6
                                                                                                                                          • Instruction ID: 8fede69066a4d16cdc3cc98c00993ecba72ac4c8fbb978f47f8bf9561bd5d639
                                                                                                                                          • Opcode Fuzzy Hash: d3d389263d37c7e05f9313f01c1831456a479eb2c207f2010d07ddadb4be6ff6
                                                                                                                                          • Instruction Fuzzy Hash: 19512B306106008FCB14DF69C898BA9BBB2FF89314F1445BCD95ADB3A5DB71EC498B61
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8c5049683369068d9020724c4f3f5552bbd1b23a44439412045ee76b6407ae5d
                                                                                                                                          • Instruction ID: 6fe29396da652a0e8bb1f3db9390806ea4886e39e98e724548fde4b267a7061b
                                                                                                                                          • Opcode Fuzzy Hash: 8c5049683369068d9020724c4f3f5552bbd1b23a44439412045ee76b6407ae5d
                                                                                                                                          • Instruction Fuzzy Hash: 2A514171E002499FDF14EFA9C8589AFBFF9EF88300F10856AE815E7354DA74E9058B91
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: bd1c266c88bc96dc7fba3738208d8851e889f9bee2ee143b9fe8b5f6ded9a132
                                                                                                                                          • Instruction ID: 200a57506a593f3cde2e308629da4c6198e3a048f244d4a7043337d36518f616
                                                                                                                                          • Opcode Fuzzy Hash: bd1c266c88bc96dc7fba3738208d8851e889f9bee2ee143b9fe8b5f6ded9a132
                                                                                                                                          • Instruction Fuzzy Hash: AB4179307003059FCB16EB68C594AAEBBFAAF89604F1444ADD90ADB361DB35EC41CB91
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a053d5de148f342ce9156073b36d11a836ffdc145aa247980ff7ae1adc8157b1
                                                                                                                                          • Instruction ID: 6c82d5bfc26aa7e096f4f528d3284ee2016ea017ba1a2b107bbed7fc47b5ae74
                                                                                                                                          • Opcode Fuzzy Hash: a053d5de148f342ce9156073b36d11a836ffdc145aa247980ff7ae1adc8157b1
                                                                                                                                          • Instruction Fuzzy Hash: C9419935A00219CFDB21DFA8D558AAEBFB5FB48354F14426AE941E7350DB34ED81CBA0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f4e255d9262dc920ba8007057069c5fbdea5b18c9ae889b399f428a8bc55f5ab
                                                                                                                                          • Instruction ID: 9def7d8e488aa94ed93742d1403ccf569a17064dc2bad17c1d7a2afa079e9031
                                                                                                                                          • Opcode Fuzzy Hash: f4e255d9262dc920ba8007057069c5fbdea5b18c9ae889b399f428a8bc55f5ab
                                                                                                                                          • Instruction Fuzzy Hash: FE416F75E002088BEB15EF68C0986ADBEB7EF88254F14446DDA01E7250DA39DD85CBA6
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: acebad9bb314ca2a7e61cc4758c05db43fc106761066795392700c7ebadfa648
                                                                                                                                          • Instruction ID: 05210f9bd9e56e636f0e8f26c1ec8722e9c061a7d2d5712b86701694c63c5438
                                                                                                                                          • Opcode Fuzzy Hash: acebad9bb314ca2a7e61cc4758c05db43fc106761066795392700c7ebadfa648
                                                                                                                                          • Instruction Fuzzy Hash: A9415E30A10709CFCB04EF68C8949DDFBB6FF89304F0085A9E5159B325EB70A946CB81
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8a366c7639e848316c851418860885836ab78d9eb7a36bbb74d6d3a5b033dd1a
                                                                                                                                          • Instruction ID: 37fdb3f9f691ada81e4fd62288f56106f4618ba44b6e86e9d858c637a9a02310
                                                                                                                                          • Opcode Fuzzy Hash: 8a366c7639e848316c851418860885836ab78d9eb7a36bbb74d6d3a5b033dd1a
                                                                                                                                          • Instruction Fuzzy Hash: FC31CE71A002919FDB01EF6CDD14AFFBFB9EF84201F04819A9894D7265EA30DE458791
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 65dc4b68977843b8c0ef6735739c43c4d978ac815331041310523147076b7c8b
                                                                                                                                          • Instruction ID: 0fb96d9e05cfc8bddb600127af4e61980a2b30f58269239c1fc4714a0e8aac70
                                                                                                                                          • Opcode Fuzzy Hash: 65dc4b68977843b8c0ef6735739c43c4d978ac815331041310523147076b7c8b
                                                                                                                                          • Instruction Fuzzy Hash: 75412F34A10709CFCB14EF68C8849DDFBB6FF89304F108559E515AB325EB71A945CB81
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f93e8c537e90ace7a9c5713694619aee79a03629458f46d6c92b6d8181631c66
                                                                                                                                          • Instruction ID: d3491ba150c1dd033aa702e5a8d84a694f2438cfb6a2c104fed3b727d6c4f446
                                                                                                                                          • Opcode Fuzzy Hash: f93e8c537e90ace7a9c5713694619aee79a03629458f46d6c92b6d8181631c66
                                                                                                                                          • Instruction Fuzzy Hash: FA41B0B0D10358DFDB14CF9AC984A9EFBB1BF48714F10816AE418AB324D7749845CF91
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9478052fcff6b6be8072c6beb9c2174210cd87795074ab145f2ae693c0a5f89e
                                                                                                                                          • Instruction ID: 711beb1f3e2baa2e33e5903bb867e2fe0ee6645c6c93473ba38fabcde427225c
                                                                                                                                          • Opcode Fuzzy Hash: 9478052fcff6b6be8072c6beb9c2174210cd87795074ab145f2ae693c0a5f89e
                                                                                                                                          • Instruction Fuzzy Hash: 07411975A0020ADFCB44DF68D58499AFBB5FF49310B14C2A9E918AB311E730E985CF90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a5c1dc563b8ac5007d9f8bee13828df3abf887bc7285beb15cb84a11bfe95259
                                                                                                                                          • Instruction ID: 519f7701187ca8537f0be9dd846c5c9117ea9b10fd05247e492ae7e99dab13b1
                                                                                                                                          • Opcode Fuzzy Hash: a5c1dc563b8ac5007d9f8bee13828df3abf887bc7285beb15cb84a11bfe95259
                                                                                                                                          • Instruction Fuzzy Hash: 7241F474A002468FC714CF68C584AA9FFF1BF49310B5986EAE84ADB351D734EC85CB90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c1faa14013a6f207b1631b69df43708ce047bff7ec942cb5e9e9f2901e22d9a2
                                                                                                                                          • Instruction ID: 36f002b6ccc02a27a7b4532f5e0881d98aa341b24bfd3183e6bd1bbcafbe5335
                                                                                                                                          • Opcode Fuzzy Hash: c1faa14013a6f207b1631b69df43708ce047bff7ec942cb5e9e9f2901e22d9a2
                                                                                                                                          • Instruction Fuzzy Hash: 26410875A0120A9FCB44DF69D48499EFBB5FF49310B14C2A9E918AB311E730E985CF90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 13f20599547d40cf196cd9036e760ce2809825a395bdaf14bd5e8006960a1417
                                                                                                                                          • Instruction ID: aba703c1347df8f33a8e11b302ef06c1c25fd531db927e3991d6ddc2bcc61ed5
                                                                                                                                          • Opcode Fuzzy Hash: 13f20599547d40cf196cd9036e760ce2809825a395bdaf14bd5e8006960a1417
                                                                                                                                          • Instruction Fuzzy Hash: BB316C35B01219DFCF05EF64D85889DF7B6FF88214B0581A9E906AB350EB31AD45CBD0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 14977f539dac61aedf452356195f8ac9a29d4d10089b251fc0f2964cd24875a3
                                                                                                                                          • Instruction ID: 4b25ec69217a6ddcd9824b6ceffbbd6eca20333b4557e9a79854c23023f039c8
                                                                                                                                          • Opcode Fuzzy Hash: 14977f539dac61aedf452356195f8ac9a29d4d10089b251fc0f2964cd24875a3
                                                                                                                                          • Instruction Fuzzy Hash: 572151323541018FD7149B2DC888A697FE6FF85721B1985FDE94ACF3A6DA35DC048B90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 298f12a6d5327fffad805015973ddd26253fa5e1f03ffeb20fc33b6f15de5436
                                                                                                                                          • Instruction ID: d8c3b6adc89ec1e59d1e89b0504a44bb8212eacc791b3a2115c00a29773e419b
                                                                                                                                          • Opcode Fuzzy Hash: 298f12a6d5327fffad805015973ddd26253fa5e1f03ffeb20fc33b6f15de5436
                                                                                                                                          • Instruction Fuzzy Hash: 2B31F739A10219DFCB15DFA8D895DACBBB9FF88704B1185A9E915EB320DB30ED00CB50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 831c0f9d9c2868e2c7268510664cca7c3d4c1731475a06d4088879e065c811b3
                                                                                                                                          • Instruction ID: cf350adf505e3b18990cad3f20b3793f4880f7078bf7505736672a0e820bf4af
                                                                                                                                          • Opcode Fuzzy Hash: 831c0f9d9c2868e2c7268510664cca7c3d4c1731475a06d4088879e065c811b3
                                                                                                                                          • Instruction Fuzzy Hash: 6A319371E002098FEB19DF7880947AD7EB7EF89614F1444ADDA41E7240DA39CD86CBA6
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1735819244.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_171d000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: beb83d45e91a0dc02fac9654847e13860007c338621eb1b643ab370d553dc81c
                                                                                                                                          • Instruction ID: 3f5ed9934fbe43b4ba3997bffa2f572db9893f08b73760eefd960110644d8d8b
                                                                                                                                          • Opcode Fuzzy Hash: beb83d45e91a0dc02fac9654847e13860007c338621eb1b643ab370d553dc81c
                                                                                                                                          • Instruction Fuzzy Hash: F121F771508200DFDB15DF98D9C8B66FF65FB88320F20C5A9E9154B25AC336D416CB61
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 41d0edde890834166bce91a1a52e4c7d016e9856b823e3e8114c5d8ae865d15b
                                                                                                                                          • Instruction ID: d413449a2cb81519868d966f19b73f57f3e378f70364ff0932e2eea75007c05a
                                                                                                                                          • Opcode Fuzzy Hash: 41d0edde890834166bce91a1a52e4c7d016e9856b823e3e8114c5d8ae865d15b
                                                                                                                                          • Instruction Fuzzy Hash: 95212731A0A6619FC716AB6C840497DBFAAEF8571070940EEDC0ADB746CF34DC028BE5
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2a88a42b10ed721b5ef533de6ecb5069f6e3954b881c2bc2d11e62a853910072
                                                                                                                                          • Instruction ID: dfcb8ee12f0bba5afe5de8dbecff844e1e15f6e3150d2ea1e4206e8645250663
                                                                                                                                          • Opcode Fuzzy Hash: 2a88a42b10ed721b5ef533de6ecb5069f6e3954b881c2bc2d11e62a853910072
                                                                                                                                          • Instruction Fuzzy Hash: 1821B235A10209AFDB01DFA8D894AEEBFB7FF89300B548559F501AB264DF30A845CB91
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 56153c2cbdbca56de76b0ab70b81a7ea1ef99b4a430fd1d14d70db7339ce5af6
                                                                                                                                          • Instruction ID: 5a2c2cc3d45215177a546a38eb3b524f29ed06190141ad0676440334ec741312
                                                                                                                                          • Opcode Fuzzy Hash: 56153c2cbdbca56de76b0ab70b81a7ea1ef99b4a430fd1d14d70db7339ce5af6
                                                                                                                                          • Instruction Fuzzy Hash: 9121AA75A002199BDF04DFA9C9506FEBBF6FF88200F144429D905E7351EB349D418BA1
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1735978646.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_172d000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f95674fcd30531e3ef84765d39f2a6a86f2f538d68dd09ff1d90f1402b0f0569
                                                                                                                                          • Instruction ID: fc4dddc7ee945f24f0ec8b3b3b271c5516510d27bfc06954a2b3232533aec66b
                                                                                                                                          • Opcode Fuzzy Hash: f95674fcd30531e3ef84765d39f2a6a86f2f538d68dd09ff1d90f1402b0f0569
                                                                                                                                          • Instruction Fuzzy Hash: 16212671508200EFDB25DF98D9C4B26FBE5FB89324F20C6ADE9098B256C336D447CA61
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1735978646.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_172d000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: dff93752d53a54ea68ca9863d34d694b00a5dfe1225df37578347f11b3a82f19
                                                                                                                                          • Instruction ID: 345a5f97249c062dad9a470ed791c7654215084d1810e21af9334c486e17a2be
                                                                                                                                          • Opcode Fuzzy Hash: dff93752d53a54ea68ca9863d34d694b00a5dfe1225df37578347f11b3a82f19
                                                                                                                                          • Instruction Fuzzy Hash: 8C212271604240DFCB35DF98D9C4B26FFA5EB88314F20C5ADD90A4B2A6C33AD447CA61
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0248e2d5342d20b0e99f078efaefe29c1a8af430e8f91e75d471e9cb3471a844
                                                                                                                                          • Instruction ID: 5b578e710946be5e33f2c50fe8ebae9b1195559177e3efa7855614f7988763ab
                                                                                                                                          • Opcode Fuzzy Hash: 0248e2d5342d20b0e99f078efaefe29c1a8af430e8f91e75d471e9cb3471a844
                                                                                                                                          • Instruction Fuzzy Hash: D5214131910609DFCB10EF68D84099AFBF5FF49310B50C26AE958A7200EB31E998CB91
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 1f11f7b9db6725bee95a40cec0f2533b5536a1ed88c3a8dfb7c736acb506636a
                                                                                                                                          • Instruction ID: 88effea5a9a4e1b7001caed7b9e24528f9295ea089a44e724131ec7c1e5c0728
                                                                                                                                          • Opcode Fuzzy Hash: 1f11f7b9db6725bee95a40cec0f2533b5536a1ed88c3a8dfb7c736acb506636a
                                                                                                                                          • Instruction Fuzzy Hash: 8521F231A10209AFDB01DFA8D894D9EBFB7FF88300F40855AE501BB264DF30A885CB91
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7f14ce98166c4e58d58322ad2037b0d2c95e486d9230223aa5989a0e35d9e74a
                                                                                                                                          • Instruction ID: 15f8d6d2f9757cd341b1613f9d3030ce1aef482924bf75f9f497b6090bf4166a
                                                                                                                                          • Opcode Fuzzy Hash: 7f14ce98166c4e58d58322ad2037b0d2c95e486d9230223aa5989a0e35d9e74a
                                                                                                                                          • Instruction Fuzzy Hash: 6621D834702249CFDB18EF69C898AADBBF6BF49604B1544ADD802EB761DB35EC40CB50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7c675cdc0428588095fb011d7d946f8ae8572e6bc9359c228b3b41af70fbac91
                                                                                                                                          • Instruction ID: a4173afa5d0bb998ad9c78d5db8af6f45189d0801ef2f3f185aad74afdf6ddf5
                                                                                                                                          • Opcode Fuzzy Hash: 7c675cdc0428588095fb011d7d946f8ae8572e6bc9359c228b3b41af70fbac91
                                                                                                                                          • Instruction Fuzzy Hash: DE2119B6D006589FCF10DF9AD844ADEFFF5EB48320F10805AE959A7210D374AA45CFA1
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 04fb8ff4af4719e1c314c25a24d6444c0a6844baaae6838ab0bbe29f1acfaab2
                                                                                                                                          • Instruction ID: d52f7c18b48fb10e58dfcf95716b64df553015657186524c24dd72a25f70de09
                                                                                                                                          • Opcode Fuzzy Hash: 04fb8ff4af4719e1c314c25a24d6444c0a6844baaae6838ab0bbe29f1acfaab2
                                                                                                                                          • Instruction Fuzzy Hash: C521BE72904B4187EB009F69E850291B7A5FF94324F1987BADD4C3F346EB71A985C7A0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 05f52be6436c2e1c5e230e4ba4a5059d42d0e01406e89eb00961a65af19ba4eb
                                                                                                                                          • Instruction ID: 6ff83ffdc823cf99580669921039fd797b67990afa2a52fd8cffa8c8d4e75af3
                                                                                                                                          • Opcode Fuzzy Hash: 05f52be6436c2e1c5e230e4ba4a5059d42d0e01406e89eb00961a65af19ba4eb
                                                                                                                                          • Instruction Fuzzy Hash: A0110476B003049BCF15ABECA8547AEBFF5EB84220F14446DEA09E3361DA358D418796
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ec566c93babed79f54b914596f9b2f9621679903697fb8173f145f6fee641c04
                                                                                                                                          • Instruction ID: 64393aad6409df819338a55dcc96356b9d1bb054a73c18a368f6cf7345c476da
                                                                                                                                          • Opcode Fuzzy Hash: ec566c93babed79f54b914596f9b2f9621679903697fb8173f145f6fee641c04
                                                                                                                                          • Instruction Fuzzy Hash: 8911A1367456058F9B28CA1EC48597A7BEAFFC962174984BEE82BC7670CB30DC41C650
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9988342cc502b01fab4ff81f3351a87f9dfdfa6b811efd559418c6aa6ac6f1a9
                                                                                                                                          • Instruction ID: 9d73d2d63defdfd49929775fad06a4340d12c4c6d7159a6a7075daa012d983cd
                                                                                                                                          • Opcode Fuzzy Hash: 9988342cc502b01fab4ff81f3351a87f9dfdfa6b811efd559418c6aa6ac6f1a9
                                                                                                                                          • Instruction Fuzzy Hash: F8110A31B097505BC719DB299450A6ABFE9FFC961070881BDE949DB711CA30EC01CBD5
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f35bdcaef67468195de98aa31735a6eaf8bf04e4d1242b1db1a836718ee130e1
                                                                                                                                          • Instruction ID: 3cc036e29a08b66cbebdbed464b2fb62c1d67ade298e96622ced674b28d86a41
                                                                                                                                          • Opcode Fuzzy Hash: f35bdcaef67468195de98aa31735a6eaf8bf04e4d1242b1db1a836718ee130e1
                                                                                                                                          • Instruction Fuzzy Hash: 33110A729042895FDB02DFA4D810FDABFB6EF8A310F0981DBD540EB222DA35D846DB51
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6a691a3245aee173bff6cf3381c39a3f8d9a91204ff0bcda5d95bcd2a7c23b96
                                                                                                                                          • Instruction ID: 2e5425ec913a581c56eafdf74310a3c9ac1a859b8ad815e5ebc39c5ce9833352
                                                                                                                                          • Opcode Fuzzy Hash: 6a691a3245aee173bff6cf3381c39a3f8d9a91204ff0bcda5d95bcd2a7c23b96
                                                                                                                                          • Instruction Fuzzy Hash: 9B11E9363083508BCB24DA7A9810BB97B99DF86511B0941EFDC47CB741DA38CC45DF51
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7db55171d0c7be15c9e40eb45cc002b178bd826f550caf20046582621d6a5397
                                                                                                                                          • Instruction ID: 8817dd270b66c6486d61b672775c10f4d603bccf4a6e810199553859466ae726
                                                                                                                                          • Opcode Fuzzy Hash: 7db55171d0c7be15c9e40eb45cc002b178bd826f550caf20046582621d6a5397
                                                                                                                                          • Instruction Fuzzy Hash: 8A1129353053845FCF125B6958507BB3FA99F85204F0884AAF949CB292CA39CC8AD7A1
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 462cb7f8b81a942008b476c1b2ffd7399cc2b0d2004bfa899abf2f821a8e3d72
                                                                                                                                          • Instruction ID: f8a0348759c520cb3258834f5079ec8adab2cdff31e9a01169d434e3527e31d5
                                                                                                                                          • Opcode Fuzzy Hash: 462cb7f8b81a942008b476c1b2ffd7399cc2b0d2004bfa899abf2f821a8e3d72
                                                                                                                                          • Instruction Fuzzy Hash: B2118E35705640CFC3099F69D88896ABFE6FF8921171485AEE85ACB361CF71EC05CB50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1735819244.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_171d000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
                                                                                                                                          • Instruction ID: 6e9f05e09e808a09a318623db40619c3e8499b647d8d4aecf4d46e59f24d53b8
                                                                                                                                          • Opcode Fuzzy Hash: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
                                                                                                                                          • Instruction Fuzzy Hash: ED219076504240DFDB16CF58D9C4B56FF61FB88324F24C5A9DD050A65AC336D416CF91
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ed102c974f9e4fd9b8f63c84f6060d37f6b55317c337561bc43c804b2f03ca75
                                                                                                                                          • Instruction ID: 5161d01c733e5a41ea3783ee0e6c7528c8e361092c1c586616e987cf51330d6a
                                                                                                                                          • Opcode Fuzzy Hash: ed102c974f9e4fd9b8f63c84f6060d37f6b55317c337561bc43c804b2f03ca75
                                                                                                                                          • Instruction Fuzzy Hash: A91152323542014BD7149A2DC895AA97FE6FF89710F1984FDE54ACB36BDA35DC048B90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d7e7b3a4d175035152795ec8569651a447affb63b30923fa0fc7cfa62f501b55
                                                                                                                                          • Instruction ID: eaa4ceaff20110d8c989e6808f79aa04e55ba610fb2d6422326ef6f8ceb8e789
                                                                                                                                          • Opcode Fuzzy Hash: d7e7b3a4d175035152795ec8569651a447affb63b30923fa0fc7cfa62f501b55
                                                                                                                                          • Instruction Fuzzy Hash: 172103B59002489FCB10DF9AD884ADEBBF8EB48320F10842AE959A7310D374A944CFA1
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4067ac3ac3cd91728341732558958d070fd72a70e9f9a0e4aefef3a8c2f82268
                                                                                                                                          • Instruction ID: e5bb267d3dc9d8916c0580c73d22bec003d6d59a5e113eea8cb9cb6362933355
                                                                                                                                          • Opcode Fuzzy Hash: 4067ac3ac3cd91728341732558958d070fd72a70e9f9a0e4aefef3a8c2f82268
                                                                                                                                          • Instruction Fuzzy Hash: 9E116772900B5186DB009F69D850291B3A9FF99324F1987BADD4C3F306EB71B984C7A0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b85aaa92dc1fa1285c271e8f1f5dfeb4b945c5f00cdd14cfaec91bfcba598a1e
                                                                                                                                          • Instruction ID: 6d92cbd8c0f3f212a69ae3f90631a8b4060920b27e6a9f706ff8eed4679ee694
                                                                                                                                          • Opcode Fuzzy Hash: b85aaa92dc1fa1285c271e8f1f5dfeb4b945c5f00cdd14cfaec91bfcba598a1e
                                                                                                                                          • Instruction Fuzzy Hash: B811C430B00209CBD714EB64D1587AEBBF2EF88314F104468D906E7785DB79AD05CBA1
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3d2dfbca37f8135c73b9d9038f1f86b9cd1c8990100bf414442db6175bbe40ef
                                                                                                                                          • Instruction ID: 5bce1b62029e5e113b973070f165963f4dd2f92ac29a2524a638280343488bda
                                                                                                                                          • Opcode Fuzzy Hash: 3d2dfbca37f8135c73b9d9038f1f86b9cd1c8990100bf414442db6175bbe40ef
                                                                                                                                          • Instruction Fuzzy Hash: 2611E330A042448FD710EB78C4687AEBFF2EF85304F1484ADD942DB686DE799C04CBA1
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1735978646.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_172d000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                          • Instruction ID: 6dda2efb86ea8ea6be7353b0bec10821f913f0c565bba2bf9fbd7b8669d5346c
                                                                                                                                          • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                          • Instruction Fuzzy Hash: C911D075504280CFDB22CF54D5C4B15FF61FB44314F24C6AAD8494B666C33AD40BCB61
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1735978646.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_172d000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                          • Instruction ID: 19b65c7c97821a56a05ef4f24630e059c34183730f08b5e834745d395539e84f
                                                                                                                                          • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                          • Instruction Fuzzy Hash: 9211BB75508280DFDB12CF54C5C4B15FFA1FB85224F24C6AAD8498B296C33AD40ACB61
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0a95eae218dfdd9dc03f817d42e431bb96bec4037fde457bc51199a175bc8304
                                                                                                                                          • Instruction ID: 66a08daa62560eeefccd953e9d2725d0c892ed8014a594efa36856e66fc11276
                                                                                                                                          • Opcode Fuzzy Hash: 0a95eae218dfdd9dc03f817d42e431bb96bec4037fde457bc51199a175bc8304
                                                                                                                                          • Instruction Fuzzy Hash: 181104B1D046488FDB10DFAAD548BDEFBF4EB49320F10845AD859A7310D3B8A944CFA5
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d7596d78889bbf785f4336660e5f53ef9ce77b6b8d826dd5f76a651aaa042f32
                                                                                                                                          • Instruction ID: de450fab4a9b8c804beebb689aa0d125f28d2b472457bf7d8ce92fc721edc5aa
                                                                                                                                          • Opcode Fuzzy Hash: d7596d78889bbf785f4336660e5f53ef9ce77b6b8d826dd5f76a651aaa042f32
                                                                                                                                          • Instruction Fuzzy Hash: 551104B1D046488FCB10DFAAD544B9EFBF4EB49320F10845AD859A7310D3B8A944CFA5
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 76e9044baff57fdecf45c0ef64d981c0f309b6c0e835f1089cbe603f1d791bcf
                                                                                                                                          • Instruction ID: 38c9fcc50126b9fc59b9564ed69af67a16bb8ce428a85bda51b22847b2563c67
                                                                                                                                          • Opcode Fuzzy Hash: 76e9044baff57fdecf45c0ef64d981c0f309b6c0e835f1089cbe603f1d791bcf
                                                                                                                                          • Instruction Fuzzy Hash: E601283A304204CFC7149A6ED448A697FEAFF89615B0880ADF92EC7760EB31DC418B50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 80f5432c1ae41620239a08cd6f1ff36a0025443d89e06979e7027c48583ab4d6
                                                                                                                                          • Instruction ID: c46140595d26b8c87f7d77bef2e53c3c669c9832d386d0c4aa71e0e1e2416869
                                                                                                                                          • Opcode Fuzzy Hash: 80f5432c1ae41620239a08cd6f1ff36a0025443d89e06979e7027c48583ab4d6
                                                                                                                                          • Instruction Fuzzy Hash: B01102B5D046488FDB10DFAAD548BDEFBF4EB48320F14841AD858A7310D3B8A945CFA1
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 75bd4694918768fd2312a887489af7bedeeac3fcaec78e7003887f135431015d
                                                                                                                                          • Instruction ID: 2ea79a626671250a048392a466fa1f3df45a80fe1ae57f119180adb7e26b6069
                                                                                                                                          • Opcode Fuzzy Hash: 75bd4694918768fd2312a887489af7bedeeac3fcaec78e7003887f135431015d
                                                                                                                                          • Instruction Fuzzy Hash: CB1125B19002488FCB10DF9AD545B9EBBF4EB48320F108469D959A7310D374A944CFA4
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 5754e9883139415d3a0f67e6d9318651e29917db18d3ba70a781067433182ed7
                                                                                                                                          • Instruction ID: e505ce56162e21c1635c6c2c1121e73cc9179dfd8394067eb9d7673a6f450a5c
                                                                                                                                          • Opcode Fuzzy Hash: 5754e9883139415d3a0f67e6d9318651e29917db18d3ba70a781067433182ed7
                                                                                                                                          • Instruction Fuzzy Hash: 560161B5A001059BDB04DF58C859A6BBBFAEB88710F144569F902EB348DA759C00DBA0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: afb76181b5c2f34cb07cdb7bb5a0e873867649c3f92db268b5f67d503f3dd474
                                                                                                                                          • Instruction ID: 4b8e0ea552fe4ed41189e378d9663b025c4e50a06a0f999dcc5a5b5a72f4a408
                                                                                                                                          • Opcode Fuzzy Hash: afb76181b5c2f34cb07cdb7bb5a0e873867649c3f92db268b5f67d503f3dd474
                                                                                                                                          • Instruction Fuzzy Hash: 78016171E00209CFFF149F6890587AD7EA7AF48355F1444ADDA01E6290CB788D81CBA6
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7871a7e75ea72a9df1bfca80cfbe4d9e94346c36138a6404e5b2dd114c897600
                                                                                                                                          • Instruction ID: 0c7fdfd81b93eb1577092e4b289a3badd01346c1368e7c8cbcf0c9c1b50e48d2
                                                                                                                                          • Opcode Fuzzy Hash: 7871a7e75ea72a9df1bfca80cfbe4d9e94346c36138a6404e5b2dd114c897600
                                                                                                                                          • Instruction Fuzzy Hash: 32015A34700610CFC7189B69E48896ABBEAFFC8211B1485AEE81ACB325CF71EC05CB50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 28cf4c68e8fa1cef0565f6c4b5ef9b18738b31e4362f158b44f2607c937d5c2e
                                                                                                                                          • Instruction ID: 191229ce29528c5e490079b8534b2a8656c98a75af05458ccef9af5d14df8619
                                                                                                                                          • Opcode Fuzzy Hash: 28cf4c68e8fa1cef0565f6c4b5ef9b18738b31e4362f158b44f2607c937d5c2e
                                                                                                                                          • Instruction Fuzzy Hash: E61145B58002488FCB10DF9AD545BDEFFF4EB48320F10845AE959A7310C378A944CFA4
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: efa70e8a8809277003390b0a90044adcea64cb3f7b73c6fec54a1d125038abd8
                                                                                                                                          • Instruction ID: 298a67bdd901b89710f48379dac202430c4eebafabe9d6f5d33d3472e92f04ab
                                                                                                                                          • Opcode Fuzzy Hash: efa70e8a8809277003390b0a90044adcea64cb3f7b73c6fec54a1d125038abd8
                                                                                                                                          • Instruction Fuzzy Hash: 5E017174A001089BDB04DF5CC85DAABBBFAFB88714F148569F902EB348DE759C00CBA1
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c73662603223e5422f54789a9ae562fb1d4f5dac6a06e89d644a340de0cf5f30
                                                                                                                                          • Instruction ID: 0b74056d8c9cb245fb19407c45e475a173e74dca3ba91a27bacce2a919072a79
                                                                                                                                          • Opcode Fuzzy Hash: c73662603223e5422f54789a9ae562fb1d4f5dac6a06e89d644a340de0cf5f30
                                                                                                                                          • Instruction Fuzzy Hash: 8101E931600B058FC725EF39C4445AA7BB6FF85310B15C9AED946CB6A4EB31ED85CB81
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 13546caf3bcc6b09904a5b1dd459022fe854ad85c5ddb9fa14dd540a684b9811
                                                                                                                                          • Instruction ID: 9008106317ad9be0621920191ca7629adaca69afaea5ffff1c4a6f350e6b4a23
                                                                                                                                          • Opcode Fuzzy Hash: 13546caf3bcc6b09904a5b1dd459022fe854ad85c5ddb9fa14dd540a684b9811
                                                                                                                                          • Instruction Fuzzy Hash: 25015E30600B558FC315EF39C4546697BB6EF85700F40D5AED986CB2A1EB30E842CB81
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d19e1d5f355f33fbd02ec6d78f41250fa5a4e265ecab88ee42510c6b6193f8bc
                                                                                                                                          • Instruction ID: 71765924c3aae9668c36aca3885df780dfce1aa1a43822fcfaf0e50fc024364b
                                                                                                                                          • Opcode Fuzzy Hash: d19e1d5f355f33fbd02ec6d78f41250fa5a4e265ecab88ee42510c6b6193f8bc
                                                                                                                                          • Instruction Fuzzy Hash: FB019EB28142088FDB10CF99D44879EFBF0AF95310F24C45AD454AB251C6B4E845CFA1
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7e5f319281779a4d77138fcc838ef147bf2aa706f28d707855959bb4e30e034c
                                                                                                                                          • Instruction ID: 520966f67bb27f59c44d61b42faf28ec1bdfb8068ad4efbf34e50379c1fc873d
                                                                                                                                          • Opcode Fuzzy Hash: 7e5f319281779a4d77138fcc838ef147bf2aa706f28d707855959bb4e30e034c
                                                                                                                                          • Instruction Fuzzy Hash: A6018B357017088BCB11AB78A8046BEBF75EF81210F05459DDA89AB214EB70E8428BD2
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 94ffe6c0fedd594bbad53a01d6e88e72f8fc5f44ee37d0cd5d4c9b5ef1467c20
                                                                                                                                          • Instruction ID: ba83d6a8c421afd2def58725d19c1b56f74511e56fa581e57e8e70574013cad1
                                                                                                                                          • Opcode Fuzzy Hash: 94ffe6c0fedd594bbad53a01d6e88e72f8fc5f44ee37d0cd5d4c9b5ef1467c20
                                                                                                                                          • Instruction Fuzzy Hash: 9E01AD3A3506048FCB18DA29C45496A3BA6FBCA700B2941EEE806CB366CA35DC41CF80
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: be00c5528de426d51aa725bf5ad71d75af28812013ba03b4bb308552be74956e
                                                                                                                                          • Instruction ID: eabbede31f154802aaca352aaec184a1a4b4bc8df4d6653b9ea00f972f8e3b6f
                                                                                                                                          • Opcode Fuzzy Hash: be00c5528de426d51aa725bf5ad71d75af28812013ba03b4bb308552be74956e
                                                                                                                                          • Instruction Fuzzy Hash: C6F0C875B003148BCF06FBEC94656BE7FB6AB88111F1400ACEE05E73A1CA358E529796
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e20cc24c7ed55051195213bccb389dffb11eb43753455105a8ea5ee4f2f45d20
                                                                                                                                          • Instruction ID: ece5e81c4ab8e571caefc77db6f1c8bb59ed5b314c83db5b8f048ca04a9d3e4c
                                                                                                                                          • Opcode Fuzzy Hash: e20cc24c7ed55051195213bccb389dffb11eb43753455105a8ea5ee4f2f45d20
                                                                                                                                          • Instruction Fuzzy Hash: E1F0C2363002446B8F01AA6D88948BF7EAADBC82107044429FE06CA265CE35DC51A7A1
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c15f6d8eeebbaab8385248d7e1618c6cfd846dc386b2f0ce3198a137d7c62e80
                                                                                                                                          • Instruction ID: 0cacdf65d29643fdc61face21e6cc4bc9a2129bb4fe178cf9787fe4206de2a0d
                                                                                                                                          • Opcode Fuzzy Hash: c15f6d8eeebbaab8385248d7e1618c6cfd846dc386b2f0ce3198a137d7c62e80
                                                                                                                                          • Instruction Fuzzy Hash: 1FF0B4313046158BCA24DA3F9454F3A7BDAEFC561570445BDEC07CB254DE38DC49CA55
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8a07be7f17fc18a81be7b68003117cd4f9152142bd26549a53d8431c75e66187
                                                                                                                                          • Instruction ID: b496efbe08d088a80c7a632e4199268b1319d828257cc07ee18d7f12e7c52b76
                                                                                                                                          • Opcode Fuzzy Hash: 8a07be7f17fc18a81be7b68003117cd4f9152142bd26549a53d8431c75e66187
                                                                                                                                          • Instruction Fuzzy Hash: 8DF06236350714CFCB28DA2DD45486A37A6FFCA72472942EEE812CB365CA35DC41CB91
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0780ac0830e7a8c9355a29826df206873147905d42932fb700393e39ddbae951
                                                                                                                                          • Instruction ID: 0e802fb63d63615ba07ca9985bbc4fb7cbc0062b7fb4769868a60d97942eada3
                                                                                                                                          • Opcode Fuzzy Hash: 0780ac0830e7a8c9355a29826df206873147905d42932fb700393e39ddbae951
                                                                                                                                          • Instruction Fuzzy Hash: 80F02832200248AFCB069B5DA801AEF7F9EEB89320B04406AF98AC3150CB31D911DB61
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c267f248e64baac7afa6de021226e3c4cff0eb2a47726df8123a6741013c2c93
                                                                                                                                          • Instruction ID: 9faca76c79d9b1ca19b57ef64256e5577a6bf10703f35249cfe08607351dabd2
                                                                                                                                          • Opcode Fuzzy Hash: c267f248e64baac7afa6de021226e3c4cff0eb2a47726df8123a6741013c2c93
                                                                                                                                          • Instruction Fuzzy Hash: EFF06275B003155B8F15B6EC98645BEBEBAAB88511B10006CEE05E7360DA358E5187E6
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 64b0f2a9cff348d56f2c6bce0f4bd97ce7b306ebe73aa730cfd185736fc7a68d
                                                                                                                                          • Instruction ID: 2f6ed398493655b843a6f6a56ebc72c68d0d514710b10a65f31b333dce1724c0
                                                                                                                                          • Opcode Fuzzy Hash: 64b0f2a9cff348d56f2c6bce0f4bd97ce7b306ebe73aa730cfd185736fc7a68d
                                                                                                                                          • Instruction Fuzzy Hash: 5FF0903531461047CB1AAB3D911877C6BA6EF88611F1440FDD80ACB395EE38CD06DB92
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: efa01b5875b0a3267556d5e7cbd0363e11ada693c81615ea9a02f13625ea4c5f
                                                                                                                                          • Instruction ID: 0ccfd72bbfc227ff757f668ad57fcbf5a3a9b1b73db852878978bf13c44bcbd4
                                                                                                                                          • Opcode Fuzzy Hash: efa01b5875b0a3267556d5e7cbd0363e11ada693c81615ea9a02f13625ea4c5f
                                                                                                                                          • Instruction Fuzzy Hash: 9DF0F6723007124FE7149B69E894499BBE9EFC43313044A7AE51AC7364CE71EC0A8790
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c2c99da2430ce840f1eade5aa20be4e776c31361077e0ce45d4c9e56acefb12f
                                                                                                                                          • Instruction ID: e5933adfee12be639cdd527968b4d53b4c74878427210c9e94123a94b3a5479b
                                                                                                                                          • Opcode Fuzzy Hash: c2c99da2430ce840f1eade5aa20be4e776c31361077e0ce45d4c9e56acefb12f
                                                                                                                                          • Instruction Fuzzy Hash: 14F0AF357007088BCB117A7898045BEBB75EFC1610F0445AEDA499B204EF30E9418BD2
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 807e791045b1aa9914cd83e6f6a576d9ba025744587c7d96f28db00ead181593
                                                                                                                                          • Instruction ID: 2a331d2c9214db4a95691a4e6d6493cb5d47c0efabf564df5d19edb244dfb579
                                                                                                                                          • Opcode Fuzzy Hash: 807e791045b1aa9914cd83e6f6a576d9ba025744587c7d96f28db00ead181593
                                                                                                                                          • Instruction Fuzzy Hash: F1F0F6317002149FDB04AB79A4186BEBFBAEBC5220F10C46DE54587300CE34A806CB54
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 29e7b1a3f0e11cec16f371f791e1bededd90cb0fb7294e7ffcb7f2b29c98bef1
                                                                                                                                          • Instruction ID: 417425b7230cbaeecf868f0ecf22886ac3f8fc279a88eef4db2599f018f4c9fe
                                                                                                                                          • Opcode Fuzzy Hash: 29e7b1a3f0e11cec16f371f791e1bededd90cb0fb7294e7ffcb7f2b29c98bef1
                                                                                                                                          • Instruction Fuzzy Hash: D8F092357615008FC654EB6DD598925BBE6FFC861532684BAE94ACB371CB71EC058B00
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d73fcc6497a3d3291925b6ea26a89ff5f56617ae70319a6e03545b9fbe2ed8d4
                                                                                                                                          • Instruction ID: 2e12f276d0ccfbe77a3ec02ae6d75bf0ac3598c4daa341dc2f15b080eba7658b
                                                                                                                                          • Opcode Fuzzy Hash: d73fcc6497a3d3291925b6ea26a89ff5f56617ae70319a6e03545b9fbe2ed8d4
                                                                                                                                          • Instruction Fuzzy Hash: DC01C831D00609DFCB44EFA8C5459EDBBF0EF49300B1586AAE859EB321E7709A44CF81
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2651155a0a20b2add7f6702bdba95aca2e194538ff4f67669be42d73350710c4
                                                                                                                                          • Instruction ID: a7ee457940e8af077baa0e0523c2b9a39b020b3fa9aa329dab2d7f91d0fd7635
                                                                                                                                          • Opcode Fuzzy Hash: 2651155a0a20b2add7f6702bdba95aca2e194538ff4f67669be42d73350710c4
                                                                                                                                          • Instruction Fuzzy Hash: 9FF0B4323082158BCB24DA7AD454F7D3B95AF85625B0901FED843CB685EF38CC49CB51
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6cfd01ccf372437f475728a541b3d0b678385416f4bbb88df0b123031158e410
                                                                                                                                          • Instruction ID: bb11927ffa96f56da48aeba8090c72e85d6e210630e3ebc94edb371b54ca9fa4
                                                                                                                                          • Opcode Fuzzy Hash: 6cfd01ccf372437f475728a541b3d0b678385416f4bbb88df0b123031158e410
                                                                                                                                          • Instruction Fuzzy Hash: A4F0123131461057CF19A73E9418A7DBBAAEFC9921B2440BDDC06CB394EE79CC06DB96
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b824ef32f754f4eb5e17334ae92bba3bb63edb53f9bccefff19f8707dcaf3769
                                                                                                                                          • Instruction ID: 7484688a2915056a84eff8f495fdb06d2ccfce37d6a0a8b599a16cb5e4e555b6
                                                                                                                                          • Opcode Fuzzy Hash: b824ef32f754f4eb5e17334ae92bba3bb63edb53f9bccefff19f8707dcaf3769
                                                                                                                                          • Instruction Fuzzy Hash: 88F0C2393016008FC7169B29D494BA9BBA6FF88721F14099DE50A87720CB35EC428790
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f635ab5dccbd9458952c0f2b3a77d2e729ddd2bd674d38b66f2fe00df8f709da
                                                                                                                                          • Instruction ID: dbbbc2b359ca08d0ea2a31abebfe4cb34b43dafb2391eb811342b0faffb2c8a8
                                                                                                                                          • Opcode Fuzzy Hash: f635ab5dccbd9458952c0f2b3a77d2e729ddd2bd674d38b66f2fe00df8f709da
                                                                                                                                          • Instruction Fuzzy Hash: 46F054353016048FC6259F1AD49496AFBBAFFC8721B10055DE50687360DF31EC41C790
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6f746318d75724cdc89d20257cc5c08083078a887a410992ece90c2cd392435e
                                                                                                                                          • Instruction ID: 123ed52c1546c9127fe33db3c8aadaa88c91e2b614770c611c37b7e469aeaa29
                                                                                                                                          • Opcode Fuzzy Hash: 6f746318d75724cdc89d20257cc5c08083078a887a410992ece90c2cd392435e
                                                                                                                                          • Instruction Fuzzy Hash: 59F04434240610CFC305DB28D698A947BF9BF0A714B1545E9E54ACB332CF72EC81CB90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                                                                                                                                          • Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
                                                                                                                                          • Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                                                                                                                                          • Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 885550d1ff202273b5de28a28de478a79df620d34e7a15b5993775677c56fbc3
                                                                                                                                          • Instruction ID: c9c075549450e16a0d191f64160acd6c51a5dc9b70c4340fb6c16f7eebbdb14a
                                                                                                                                          • Opcode Fuzzy Hash: 885550d1ff202273b5de28a28de478a79df620d34e7a15b5993775677c56fbc3
                                                                                                                                          • Instruction Fuzzy Hash: 4EF05E317012249FDB18AB6AE40856EBBABEBC4321B10C86DE94AC7344DE35AC05CB94
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0e3c1ba6c8cd6be833603d48341f6fcef48473b154658c25a7d6a69e266e465e
                                                                                                                                          • Instruction ID: a72afc36e4e8db8ab294b9218889396aa62ed640b098cd144f7c38b26d40d686
                                                                                                                                          • Opcode Fuzzy Hash: 0e3c1ba6c8cd6be833603d48341f6fcef48473b154658c25a7d6a69e266e465e
                                                                                                                                          • Instruction Fuzzy Hash: 36F0BC30240620CFC718DB28D598D59BBEAFF49B1971645E9E50ACB372CB72EC40CB80
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 70c0c8da6c26800484b1f9e92379aa621b153e9c64d7d98ffbcd96822bdee2ec
                                                                                                                                          • Instruction ID: bbbd8804b505b08089a747d2cc60356f8846a0e844ee64f36a9c75b5fca472a2
                                                                                                                                          • Opcode Fuzzy Hash: 70c0c8da6c26800484b1f9e92379aa621b153e9c64d7d98ffbcd96822bdee2ec
                                                                                                                                          • Instruction Fuzzy Hash: E3E0E571204741DFC7368A299904E63BFE9EF4010470449FDDC89CB622E630EC48C762
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: fd20b2249dd0549214bc67bc1fcf6bece2c6fb482f06f0f2e8ab5f3d15c955bc
                                                                                                                                          • Instruction ID: 0f6c87264decc3f4d5cf0937f2cb3ee85ff839d599b2abdaf08106aa57e2b591
                                                                                                                                          • Opcode Fuzzy Hash: fd20b2249dd0549214bc67bc1fcf6bece2c6fb482f06f0f2e8ab5f3d15c955bc
                                                                                                                                          • Instruction Fuzzy Hash: 69F08270E00209CFEB149FB990197AD7EB7AF48305F00846DD902E6290CF788840CF65
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3729ecf85375f48194110bb798bc4cddf70800cbcd0a3717a65effecfb8c8d27
                                                                                                                                          • Instruction ID: 494c0c6f91ac4200dc500e4ee3cfaa9a868258837dd4566a86da3d552e79d2fb
                                                                                                                                          • Opcode Fuzzy Hash: 3729ecf85375f48194110bb798bc4cddf70800cbcd0a3717a65effecfb8c8d27
                                                                                                                                          • Instruction Fuzzy Hash: 11E092322002486FCB059A4DE804EAFBFDEDBCC320B04816AF949C3251CA75ED5197A1
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3d5d2f79db4055eabcfa7eddc503503fddc54c6fad07b74e4a6e56f6baa73111
                                                                                                                                          • Instruction ID: f458919d28475f66d8c621b33700395a7de29cd350be6532e863319a48c6c4a2
                                                                                                                                          • Opcode Fuzzy Hash: 3d5d2f79db4055eabcfa7eddc503503fddc54c6fad07b74e4a6e56f6baa73111
                                                                                                                                          • Instruction Fuzzy Hash: 9DE0D8323493811FC702A66DA89088BFFE6DFD5210308496BD5558F369DE6058458391
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b0537c71f11b7cd628229b07ebac726c473a565eb468f049535051d2d6a93a31
                                                                                                                                          • Instruction ID: 3f34eaef519b24fcb84da1886df7c942e7f28ab4e6f0c3ccf838c54cb5c77b9f
                                                                                                                                          • Opcode Fuzzy Hash: b0537c71f11b7cd628229b07ebac726c473a565eb468f049535051d2d6a93a31
                                                                                                                                          • Instruction Fuzzy Hash: D1F0A539E0110CCBCB14DFA4D6895ECBBB2EB88215F2001AAD906F3251DB36AE40CB64
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a0beeea23bd1a1691a39b228b7304879b4234ceaf0226c72092086f5b3cb5f08
                                                                                                                                          • Instruction ID: bfee6c87f195d68f044fb3632def3a154d4d796c266473651ae974e68fd1d1fe
                                                                                                                                          • Opcode Fuzzy Hash: a0beeea23bd1a1691a39b228b7304879b4234ceaf0226c72092086f5b3cb5f08
                                                                                                                                          • Instruction Fuzzy Hash: 4DE0ED709092889FCB01DBB8EA505B9BFB1EF45210B1182ABD84493226DB361E24DB11
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e25bb411cd5af42b611c5c1d48badf7d1280c92d1b562ad3764dffb3f1db0567
                                                                                                                                          • Instruction ID: 8443bed0d5a451987328fc6153c984e14430c1f9fe7b5286a924c1bb57e574ff
                                                                                                                                          • Opcode Fuzzy Hash: e25bb411cd5af42b611c5c1d48badf7d1280c92d1b562ad3764dffb3f1db0567
                                                                                                                                          • Instruction Fuzzy Hash: 52E0867190010DEFCB00EFA4E55157DBBBAEB48320F1182A9E80993304DB326F509B50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 5b9730424bd61ed4cc48480cb2c914f87cf8ca968dfc960d24d8a1492ffa8a81
                                                                                                                                          • Instruction ID: ef488cd71d7d19209dea0a37ac70357b4f518cce45132300bf1038dea3a92d08
                                                                                                                                          • Opcode Fuzzy Hash: 5b9730424bd61ed4cc48480cb2c914f87cf8ca968dfc960d24d8a1492ffa8a81
                                                                                                                                          • Instruction Fuzzy Hash: 79D017303146149F8728DA1CE84085AB7EAEF8921032586ADF40AC7770DA60EC098A84
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 055572f962892afebf4331421ac4e8c57462c2a5f403428d59199a89109e9500
                                                                                                                                          • Instruction ID: 19c10881c9f8fd796ae06e5446edd7db004b4d3fb6404a66a6c155e7aaf7b01d
                                                                                                                                          • Opcode Fuzzy Hash: 055572f962892afebf4331421ac4e8c57462c2a5f403428d59199a89109e9500
                                                                                                                                          • Instruction Fuzzy Hash: 6DE01A300191825FDB428B2ADA92BA1BFB5EF42304F0856D4D844CF517C22864CACB52
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743369032.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_94a0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: 4v>
                                                                                                                                          • API String ID: 0-912787409
                                                                                                                                          • Opcode ID: 0d64a11162655d38e100683ef2bbc3e49389ee242bbee0ea6a1966ac2b091dcb
                                                                                                                                          • Instruction ID: 9d24aab8fd72ea9bba70ae88f162ea89622b3fb792d09494272c45d2e7ad08dc
                                                                                                                                          • Opcode Fuzzy Hash: 0d64a11162655d38e100683ef2bbc3e49389ee242bbee0ea6a1966ac2b091dcb
                                                                                                                                          • Instruction Fuzzy Hash: FEE11B74E001598FCB14CFA9C5909AEFBB2FF89304F24926AE414AB356D735AD81CF60
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743369032.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_94a0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: tz>
                                                                                                                                          • API String ID: 0-2758190728
                                                                                                                                          • Opcode ID: fa82124d47dab94077a060e55590606c32d75aa33d345e6f51936eb7ae9faec1
                                                                                                                                          • Instruction ID: fe6ea5500d00877d86775714dc90bd9d7c1d30f16e49ba97b72ca67d721b4a03
                                                                                                                                          • Opcode Fuzzy Hash: fa82124d47dab94077a060e55590606c32d75aa33d345e6f51936eb7ae9faec1
                                                                                                                                          • Instruction Fuzzy Hash: 45E10C74E001598FDB14DFA9C5809AEFBB2FF48304F24926AE414AB356DB35AD81CF60
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740041748.00000000057D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057D0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_57d0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4df7c944b6e19d548e64a1cf2254a519ed1663ec5fafc8398883650825f28cf5
                                                                                                                                          • Instruction ID: 909c52a89db2cc80c18d5431f40465b65e76516916248dd53a5d953f8ee7bef0
                                                                                                                                          • Opcode Fuzzy Hash: 4df7c944b6e19d548e64a1cf2254a519ed1663ec5fafc8398883650825f28cf5
                                                                                                                                          • Instruction Fuzzy Hash: 241293B04037458EE320EF65ED4C1893BF1BB46319FA05209DE652A2EDDBBC116ACF64
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743154026.0000000007F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F80000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7f80000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d1b5ed9a15e804ab24d99c60ae523b468fc0db7208551a3e3f722bcf6a446461
                                                                                                                                          • Instruction ID: f26fe67b4a5ef8067732ccd02545dc821b0e3c3fcbc37f01366f4e44da93c33d
                                                                                                                                          • Opcode Fuzzy Hash: d1b5ed9a15e804ab24d99c60ae523b468fc0db7208551a3e3f722bcf6a446461
                                                                                                                                          • Instruction Fuzzy Hash: 67E1E7B4E002198FCB14DFA9C5909AEBBF2FF89304F249169D414AB356D734A982CF60
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743154026.0000000007F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F80000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7f80000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: fd7e4c62fb4d6dacb4d5f227f55005008d47788caabfbd21721a3c69af2e16e7
                                                                                                                                          • Instruction ID: b0712e25d87fa07b8b6d96bf1eacc3c365adcec9b331728e4f495970fcfa35c6
                                                                                                                                          • Opcode Fuzzy Hash: fd7e4c62fb4d6dacb4d5f227f55005008d47788caabfbd21721a3c69af2e16e7
                                                                                                                                          • Instruction Fuzzy Hash: DCE1D7B4E002198BCB54DFA9C5809AEBBF2FF49304F249269D414AB355D731AD82CFA1
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743154026.0000000007F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F80000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7f80000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 1b2b370ac2be8f0c8e2e38700a25bb0de8694a40979553137a927c8f1ad58be1
                                                                                                                                          • Instruction ID: dfa5d9529c473180edaec46a5b8adcfd109d1225cbeea7515769cbb79256391c
                                                                                                                                          • Opcode Fuzzy Hash: 1b2b370ac2be8f0c8e2e38700a25bb0de8694a40979553137a927c8f1ad58be1
                                                                                                                                          • Instruction Fuzzy Hash: CDE1E7B4E002198FCB14DF99C5809AEFBF6FF89305F249269E415AB356D730A942CF60
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743154026.0000000007F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F80000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7f80000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8bf8b1c7b0a334c3ebb240ec26fcfabc08535f54759249d316963abf871e1ad7
                                                                                                                                          • Instruction ID: e78aa8b9db2eef11cb5ef030000f19ff3d4f9ed94a462109c0d82b85de83bb9e
                                                                                                                                          • Opcode Fuzzy Hash: 8bf8b1c7b0a334c3ebb240ec26fcfabc08535f54759249d316963abf871e1ad7
                                                                                                                                          • Instruction Fuzzy Hash: 8FE1E8B4E002198FCB54DFA9C5909AEFBF2FF89304F24916AD414AB355DB31A942CF61
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743154026.0000000007F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F80000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7f80000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2bb3b6567d5b26b64e45350864e68e30e40efb6acfdee64cff03e40407c183b9
                                                                                                                                          • Instruction ID: 4f079ed14a0989eba53df8d0f0f7ae2b560b7db85cc54bb24a6850a3a025c822
                                                                                                                                          • Opcode Fuzzy Hash: 2bb3b6567d5b26b64e45350864e68e30e40efb6acfdee64cff03e40407c183b9
                                                                                                                                          • Instruction Fuzzy Hash: C5E1D8B4E002198FCB54DFA9C5909AEFBF2FF89304F24916AE414AB355D731A942CF61
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743369032.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_94a0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 09df5e5b6ba60320b4f931382148fa119aebdbb44bd27e2cf155ffe02197558d
                                                                                                                                          • Instruction ID: 44c794fc09a59bf9e062b69443d915f72b6e68d56b02e11699dff6f10dfa24ff
                                                                                                                                          • Opcode Fuzzy Hash: 09df5e5b6ba60320b4f931382148fa119aebdbb44bd27e2cf155ffe02197558d
                                                                                                                                          • Instruction Fuzzy Hash: ACE1F774E001598FDB14CFA9C5809AEFBB2FF89344F24926AE414AB356D735AD81CF60
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743369032.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_94a0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e97ac11bd7af1fb5eac388d579b5f03d0a17921d64e3e70983fa62b92d617792
                                                                                                                                          • Instruction ID: 50ac0591b070913c5026ab7f2b3925ebf213fd0866666b93622f71058c35a19b
                                                                                                                                          • Opcode Fuzzy Hash: e97ac11bd7af1fb5eac388d579b5f03d0a17921d64e3e70983fa62b92d617792
                                                                                                                                          • Instruction Fuzzy Hash: 90E1FB74E001598FCB14CFA9C5909AEFBB2FF89344F24926AE414AB356D735AD81CF60
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1736676122.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_30b0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 602ac1bc164ee255dbe09e59134d3856331b7c55778499c2b70722e3455c0714
                                                                                                                                          • Instruction ID: 40d858cd54565ea22ba2ea42003a19612c1a61beeeca34135960ca13e498ba26
                                                                                                                                          • Opcode Fuzzy Hash: 602ac1bc164ee255dbe09e59134d3856331b7c55778499c2b70722e3455c0714
                                                                                                                                          • Instruction Fuzzy Hash: 9CA16B36E1120A8FCF05DFB4C8445DEBBF2FF84300B1585AAE902AB265DB71E956CB40
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740041748.00000000057D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057D0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_57d0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: fc870ad7ced0263e5ba3c9d0ac516b1e0d81c42ff45a9f14a4616b6d99118575
                                                                                                                                          • Instruction ID: c7014ecc8f340ea85912ee18de34cb5f5f7bf93c94d46f8f08fd736d1fa25592
                                                                                                                                          • Opcode Fuzzy Hash: fc870ad7ced0263e5ba3c9d0ac516b1e0d81c42ff45a9f14a4616b6d99118575
                                                                                                                                          • Instruction Fuzzy Hash: CAD116B08037458ED720EF24EC481897BF1BB86319F655209DD616B2EDDBBC14AACF54
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743369032.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_94a0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: aed3e7b70d34102dc4642fc2396e23e5ab87cc115bb3fc1012c39e9340fc9e26
                                                                                                                                          • Instruction ID: 0f9e986a8021952ec5cd0b6f695eacf6529b6c34f1cc134f66652104b9d2362d
                                                                                                                                          • Opcode Fuzzy Hash: aed3e7b70d34102dc4642fc2396e23e5ab87cc115bb3fc1012c39e9340fc9e26
                                                                                                                                          • Instruction Fuzzy Hash: 8E717174E016199FDB04DFAAC5849DEFBF2BF88310F14D166E418AB215DB34A942CF50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743369032.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_94a0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 69e7f379974a9616b4c757322883531113878cb67622bd28e6254c4018757149
                                                                                                                                          • Instruction ID: 977b8716ea5e95a58bcfa4dfb011b11d1fd270cdd7011a2f5113fd0fd21e28a4
                                                                                                                                          • Opcode Fuzzy Hash: 69e7f379974a9616b4c757322883531113878cb67622bd28e6254c4018757149
                                                                                                                                          • Instruction Fuzzy Hash: 4D517175D016199FDB08DFEAC9846EEFBB6BF88310F10D02AE819AB254DB345946CF50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743154026.0000000007F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F80000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7f80000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2cec82a00b52dee34c6a54d5928998d8e9bd50b6d0d506ede904e4afcf1ff801
                                                                                                                                          • Instruction ID: 928f92e9c91374ab0223c01adb3fe968594a793a9f194e6cb11b2db2d4c60ac5
                                                                                                                                          • Opcode Fuzzy Hash: 2cec82a00b52dee34c6a54d5928998d8e9bd50b6d0d506ede904e4afcf1ff801
                                                                                                                                          • Instruction Fuzzy Hash: 7751FDB5E0021A8FDB14DFA9C5415AEFBF2BF89304F24C169D418A7255D731A942CF61
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743369032.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_94a0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 41dd99a16d8ff0b1c8c2d9f9cfa4ab4c1200116df2de59abac03e00025a43c93
                                                                                                                                          • Instruction ID: 83e1916ee6fe54ff0c9032fe4068a8b8693036cad603361ff0b4f871a2f9118e
                                                                                                                                          • Opcode Fuzzy Hash: 41dd99a16d8ff0b1c8c2d9f9cfa4ab4c1200116df2de59abac03e00025a43c93
                                                                                                                                          • Instruction Fuzzy Hash: 4F518275E006198FDB08DFAAD98459EFBF2BF88300F14C16AE819AB354DB349946CF50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743369032.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_94a0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 36085d6c2a7e57046e11436efcb60ee546bbf3131785a6bb31aefb09b33457d5
                                                                                                                                          • Instruction ID: 218f5f5be1245ce6f1c9be809881aebe7ecdcc29c7462a647782803e24a4e000
                                                                                                                                          • Opcode Fuzzy Hash: 36085d6c2a7e57046e11436efcb60ee546bbf3131785a6bb31aefb09b33457d5
                                                                                                                                          • Instruction Fuzzy Hash: 4B41A471E046199FDB08DFAAC88469EFBF6BF88310F14C06AD419AB254DB345946CF50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1743154026.0000000007F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F80000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7f80000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f0dd2776e28c5ef30c0052e9d5b4cced730203a4c4c78cec4cbf82c93fd14e63
                                                                                                                                          • Instruction ID: d6a03b6af9e2fba84c22a6d5fa0d2ba103b5481e229abe781340da61b3af811f
                                                                                                                                          • Opcode Fuzzy Hash: f0dd2776e28c5ef30c0052e9d5b4cced730203a4c4c78cec4cbf82c93fd14e63
                                                                                                                                          • Instruction Fuzzy Hash: 07315CB1D09609CFDB45DFAAD9402EEBBF5AF8A300F58D0A6C408E7211DB744A45DB91
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                                                                                                                          • API String ID: 0-2697097662
                                                                                                                                          • Opcode ID: 1370fe73a50ae901af2b895d34a6efc3d1b730a5078fe1d38d142a178ee511d7
                                                                                                                                          • Instruction ID: e63350c304b6aee4b605b44827220cdf88449bda058f6af05f0007408aab0138
                                                                                                                                          • Opcode Fuzzy Hash: 1370fe73a50ae901af2b895d34a6efc3d1b730a5078fe1d38d142a178ee511d7
                                                                                                                                          • Instruction Fuzzy Hash: F212F370A0220A8FCB08EF74E89469EBBF2FF44304F5045A9C1495B269DF356D99CF91
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1740266234.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_58c0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                                                                                                                          • API String ID: 0-2697097662
                                                                                                                                          • Opcode ID: 6b84c8960665619bea7b7f4b31dd194ce6cdb34f4cc526fdabf07d40e6470d89
                                                                                                                                          • Instruction ID: 6e8eb85bbc61dc63f99892d8f0c437c44827c51172b11b29ccc465ec6b715ac2
                                                                                                                                          • Opcode Fuzzy Hash: 6b84c8960665619bea7b7f4b31dd194ce6cdb34f4cc526fdabf07d40e6470d89
                                                                                                                                          • Instruction Fuzzy Hash: 2712F270A0220A8FCB08EF74E99469EBBF2FF44304F5045A9C1495B269DF356D99CF91

                                                                                                                                          Execution Graph

                                                                                                                                          Execution Coverage:1.4%
                                                                                                                                          Dynamic/Decrypted Code Coverage:2.7%
                                                                                                                                          Signature Coverage:1.4%
                                                                                                                                          Total number of Nodes:554
                                                                                                                                          Total number of Limit Nodes:67
                                                                                                                                          execution_graph 97535 41f0e0 97538 41b930 97535->97538 97539 41b956 97538->97539 97546 409d30 97539->97546 97541 41b962 97542 41b983 97541->97542 97554 40c1b0 97541->97554 97544 41b975 97590 41a670 97544->97590 97593 409c80 97546->97593 97548 409d3d 97549 409d44 97548->97549 97605 409c20 97548->97605 97549->97541 97555 40c1d5 97554->97555 98024 40b1b0 97555->98024 97557 40c22c 98028 40ae30 97557->98028 97559 40c252 97589 40c4a3 97559->97589 98037 414390 97559->98037 97561 40c297 97561->97589 98040 408a60 97561->98040 97563 40c2db 97563->97589 98047 41a4c0 97563->98047 97567 40c331 97568 40c338 97567->97568 98059 419fd0 97567->98059 97569 41bd80 2 API calls 97568->97569 97571 40c345 97569->97571 97571->97544 97573 40c382 97574 41bd80 2 API calls 97573->97574 97575 40c389 97574->97575 97575->97544 97576 40c392 97577 40f490 3 API calls 97576->97577 97578 40c406 97577->97578 97578->97568 97579 40c411 97578->97579 97580 41bd80 2 API calls 97579->97580 97581 40c435 97580->97581 98064 41a020 97581->98064 97584 419fd0 2 API calls 97585 40c470 97584->97585 97585->97589 98069 419de0 97585->98069 97588 41a670 2 API calls 97588->97589 97589->97544 97591 41af20 LdrLoadDll 97590->97591 97592 41a68f ExitProcess 97591->97592 97592->97542 97624 418b80 97593->97624 97597 409ca6 97597->97548 97598 409c9c 97598->97597 97631 41b270 97598->97631 97600 409ce3 97600->97597 97642 409aa0 97600->97642 97602 409d03 97648 409620 LdrLoadDll 97602->97648 97604 409d15 97604->97548 97606 409c3a 97605->97606 97607 41b560 LdrLoadDll 97605->97607 97999 41b560 97606->97999 97607->97606 97610 41b560 LdrLoadDll 97611 409c61 97610->97611 97612 40f170 97611->97612 97613 40f189 97612->97613 98007 40b030 97613->98007 97615 40f19c 98011 41a1a0 97615->98011 97619 40f1c2 97622 40f1ed 97619->97622 98017 41a220 97619->98017 97621 41a450 2 API calls 97623 409d55 97621->97623 97622->97621 97623->97541 97625 418b8f 97624->97625 97649 414e40 97625->97649 97627 409c93 97628 418a30 97627->97628 97655 41a5c0 97628->97655 97632 41b289 97631->97632 97662 414a40 97632->97662 97634 41b2a1 97635 41b2aa 97634->97635 97701 41b0b0 97634->97701 97635->97600 97637 41b2be 97637->97635 97719 419ec0 97637->97719 97977 407ea0 97642->97977 97644 409ac1 97644->97602 97645 409aba 97645->97644 97990 408160 97645->97990 97648->97604 97650 414e5a 97649->97650 97651 414e4e 97649->97651 97650->97627 97651->97650 97654 4152c0 LdrLoadDll 97651->97654 97653 414fac 97653->97627 97654->97653 97658 41af20 97655->97658 97657 418a45 97657->97598 97659 41af30 97658->97659 97661 41af52 97658->97661 97660 414e40 LdrLoadDll 97659->97660 97660->97661 97661->97657 97663 414d75 97662->97663 97664 414a54 97662->97664 97663->97634 97664->97663 97727 419c10 97664->97727 97667 414b6d 97667->97634 97668 414b80 97730 41a320 97668->97730 97669 414b63 97787 41a420 LdrLoadDll 97669->97787 97672 414ba7 97673 41bd80 2 API calls 97672->97673 97675 414bb3 97673->97675 97674 414d39 97677 41a450 2 API calls 97674->97677 97675->97667 97675->97674 97676 414d4f 97675->97676 97681 414c42 97675->97681 97796 414780 LdrLoadDll NtReadFile NtClose 97676->97796 97678 414d40 97677->97678 97678->97634 97680 414d62 97680->97634 97682 414ca9 97681->97682 97684 414c51 97681->97684 97682->97674 97683 414cbc 97682->97683 97789 41a2a0 97683->97789 97686 414c56 97684->97686 97687 414c6a 97684->97687 97788 414640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 97686->97788 97690 414c87 97687->97690 97691 414c6f 97687->97691 97690->97678 97745 414400 97690->97745 97733 4146e0 97691->97733 97693 414c60 97693->97634 97695 414d1c 97793 41a450 97695->97793 97696 414c7d 97696->97634 97699 414c9f 97699->97634 97700 414d28 97700->97634 97703 41b0c1 97701->97703 97702 41b0d3 97702->97637 97703->97702 97814 41bd00 97703->97814 97705 41b0f4 97817 414060 97705->97817 97707 41b140 97707->97637 97708 41b117 97708->97707 97709 414060 3 API calls 97708->97709 97711 41b139 97709->97711 97711->97707 97849 415380 97711->97849 97712 41b1ca 97713 41b1da 97712->97713 97943 41aec0 LdrLoadDll 97712->97943 97859 41ad30 97713->97859 97716 41b208 97938 419e80 97716->97938 97720 41af20 LdrLoadDll 97719->97720 97721 419edc 97720->97721 97971 1362c0a 97721->97971 97722 419ef7 97724 41bd80 97722->97724 97725 41b319 97724->97725 97974 41a630 97724->97974 97725->97600 97728 414b34 97727->97728 97729 41af20 LdrLoadDll 97727->97729 97728->97667 97728->97668 97728->97669 97729->97728 97731 41af20 LdrLoadDll 97730->97731 97732 41a33c NtCreateFile 97731->97732 97732->97672 97734 4146fc 97733->97734 97735 41a2a0 LdrLoadDll 97734->97735 97736 41471d 97735->97736 97737 414724 97736->97737 97738 414738 97736->97738 97739 41a450 2 API calls 97737->97739 97740 41a450 2 API calls 97738->97740 97741 41472d 97739->97741 97742 414741 97740->97742 97741->97696 97797 41bf90 LdrLoadDll RtlAllocateHeap 97742->97797 97744 41474c 97744->97696 97746 41444b 97745->97746 97747 41447e 97745->97747 97749 41a2a0 LdrLoadDll 97746->97749 97748 4145c9 97747->97748 97752 41449a 97747->97752 97750 41a2a0 LdrLoadDll 97748->97750 97751 414466 97749->97751 97757 4145e4 97750->97757 97753 41a450 2 API calls 97751->97753 97755 41a2a0 LdrLoadDll 97752->97755 97754 41446f 97753->97754 97754->97699 97756 4144b5 97755->97756 97759 4144d1 97756->97759 97760 4144bc 97756->97760 97810 41a2e0 LdrLoadDll 97757->97810 97763 4144d6 97759->97763 97764 4144ec 97759->97764 97762 41a450 2 API calls 97760->97762 97761 41461e 97765 41a450 2 API calls 97761->97765 97766 4144c5 97762->97766 97767 41a450 2 API calls 97763->97767 97772 4144f1 97764->97772 97798 41bf50 97764->97798 97768 414629 97765->97768 97766->97699 97769 4144df 97767->97769 97768->97699 97769->97699 97780 414503 97772->97780 97801 41a3d0 97772->97801 97773 414557 97774 41456e 97773->97774 97809 41a260 LdrLoadDll 97773->97809 97776 414575 97774->97776 97777 41458a 97774->97777 97778 41a450 2 API calls 97776->97778 97779 41a450 2 API calls 97777->97779 97778->97780 97781 414593 97779->97781 97780->97699 97782 4145bf 97781->97782 97804 41bb50 97781->97804 97782->97699 97784 4145aa 97785 41bd80 2 API calls 97784->97785 97786 4145b3 97785->97786 97786->97699 97787->97667 97788->97693 97790 41af20 LdrLoadDll 97789->97790 97791 414d04 97790->97791 97792 41a2e0 LdrLoadDll 97791->97792 97792->97695 97794 41af20 LdrLoadDll 97793->97794 97795 41a46c NtClose 97794->97795 97795->97700 97796->97680 97797->97744 97811 41a5f0 97798->97811 97800 41bf68 97800->97772 97802 41a3ec NtReadFile 97801->97802 97803 41af20 LdrLoadDll 97801->97803 97802->97773 97803->97802 97805 41bb74 97804->97805 97806 41bb5d 97804->97806 97805->97784 97806->97805 97807 41bf50 2 API calls 97806->97807 97808 41bb8b 97807->97808 97808->97784 97809->97774 97810->97761 97812 41af20 LdrLoadDll 97811->97812 97813 41a60c RtlAllocateHeap 97812->97813 97813->97800 97944 41a500 97814->97944 97816 41bd2d 97816->97705 97818 414071 97817->97818 97820 414079 97817->97820 97818->97708 97819 41434c 97819->97708 97820->97819 97947 41cef0 97820->97947 97822 4140cd 97823 41cef0 2 API calls 97822->97823 97826 4140d8 97823->97826 97824 414126 97827 41cef0 2 API calls 97824->97827 97826->97824 97828 41d020 3 API calls 97826->97828 97958 41cf90 LdrLoadDll RtlAllocateHeap RtlFreeHeap 97826->97958 97830 41413a 97827->97830 97828->97826 97829 414197 97831 41cef0 2 API calls 97829->97831 97830->97829 97952 41d020 97830->97952 97832 4141ad 97831->97832 97834 4141ea 97832->97834 97836 41d020 3 API calls 97832->97836 97835 41cef0 2 API calls 97834->97835 97837 4141f5 97835->97837 97836->97832 97838 41d020 3 API calls 97837->97838 97844 41422f 97837->97844 97838->97837 97840 414324 97960 41cf50 LdrLoadDll RtlFreeHeap 97840->97960 97842 41432e 97961 41cf50 LdrLoadDll RtlFreeHeap 97842->97961 97959 41cf50 LdrLoadDll RtlFreeHeap 97844->97959 97845 414338 97962 41cf50 LdrLoadDll RtlFreeHeap 97845->97962 97847 414342 97963 41cf50 LdrLoadDll RtlFreeHeap 97847->97963 97850 415391 97849->97850 97851 414a40 8 API calls 97850->97851 97853 4153a7 97851->97853 97852 4153fa 97852->97712 97853->97852 97854 4153e2 97853->97854 97855 4153f5 97853->97855 97857 41bd80 2 API calls 97854->97857 97856 41bd80 2 API calls 97855->97856 97856->97852 97858 4153e7 97857->97858 97858->97712 97964 41abf0 97859->97964 97862 41abf0 LdrLoadDll 97863 41ad4d 97862->97863 97864 41abf0 LdrLoadDll 97863->97864 97865 41ad56 97864->97865 97866 41abf0 LdrLoadDll 97865->97866 97867 41ad5f 97866->97867 97868 41abf0 LdrLoadDll 97867->97868 97869 41ad68 97868->97869 97870 41abf0 LdrLoadDll 97869->97870 97871 41ad71 97870->97871 97872 41abf0 LdrLoadDll 97871->97872 97873 41ad7d 97872->97873 97874 41abf0 LdrLoadDll 97873->97874 97875 41ad86 97874->97875 97876 41abf0 LdrLoadDll 97875->97876 97877 41ad8f 97876->97877 97878 41abf0 LdrLoadDll 97877->97878 97879 41ad98 97878->97879 97880 41abf0 LdrLoadDll 97879->97880 97881 41ada1 97880->97881 97882 41abf0 LdrLoadDll 97881->97882 97883 41adaa 97882->97883 97884 41abf0 LdrLoadDll 97883->97884 97885 41adb6 97884->97885 97886 41abf0 LdrLoadDll 97885->97886 97887 41adbf 97886->97887 97888 41abf0 LdrLoadDll 97887->97888 97889 41adc8 97888->97889 97890 41abf0 LdrLoadDll 97889->97890 97891 41add1 97890->97891 97892 41abf0 LdrLoadDll 97891->97892 97893 41adda 97892->97893 97894 41abf0 LdrLoadDll 97893->97894 97895 41ade3 97894->97895 97896 41abf0 LdrLoadDll 97895->97896 97897 41adef 97896->97897 97898 41abf0 LdrLoadDll 97897->97898 97899 41adf8 97898->97899 97900 41abf0 LdrLoadDll 97899->97900 97901 41ae01 97900->97901 97902 41abf0 LdrLoadDll 97901->97902 97903 41ae0a 97902->97903 97904 41abf0 LdrLoadDll 97903->97904 97905 41ae13 97904->97905 97906 41abf0 LdrLoadDll 97905->97906 97907 41ae1c 97906->97907 97908 41abf0 LdrLoadDll 97907->97908 97909 41ae28 97908->97909 97910 41abf0 LdrLoadDll 97909->97910 97911 41ae31 97910->97911 97912 41abf0 LdrLoadDll 97911->97912 97913 41ae3a 97912->97913 97914 41abf0 LdrLoadDll 97913->97914 97915 41ae43 97914->97915 97916 41abf0 LdrLoadDll 97915->97916 97917 41ae4c 97916->97917 97918 41abf0 LdrLoadDll 97917->97918 97919 41ae55 97918->97919 97920 41abf0 LdrLoadDll 97919->97920 97921 41ae61 97920->97921 97922 41abf0 LdrLoadDll 97921->97922 97923 41ae6a 97922->97923 97924 41abf0 LdrLoadDll 97923->97924 97925 41ae73 97924->97925 97926 41abf0 LdrLoadDll 97925->97926 97927 41ae7c 97926->97927 97928 41abf0 LdrLoadDll 97927->97928 97929 41ae85 97928->97929 97930 41abf0 LdrLoadDll 97929->97930 97931 41ae8e 97930->97931 97932 41abf0 LdrLoadDll 97931->97932 97933 41ae9a 97932->97933 97934 41abf0 LdrLoadDll 97933->97934 97935 41aea3 97934->97935 97936 41abf0 LdrLoadDll 97935->97936 97937 41aeac 97936->97937 97937->97716 97939 41af20 LdrLoadDll 97938->97939 97940 419e9c 97939->97940 97970 1362df0 LdrInitializeThunk 97940->97970 97941 419eb3 97941->97637 97943->97713 97945 41a51c NtAllocateVirtualMemory 97944->97945 97946 41af20 LdrLoadDll 97944->97946 97945->97816 97946->97945 97948 41cf00 97947->97948 97949 41cf06 97947->97949 97948->97822 97950 41bf50 2 API calls 97949->97950 97951 41cf2c 97950->97951 97951->97822 97953 41cf90 97952->97953 97954 41cfed 97953->97954 97955 41bf50 2 API calls 97953->97955 97954->97830 97956 41cfca 97955->97956 97957 41bd80 2 API calls 97956->97957 97957->97954 97958->97826 97959->97840 97960->97842 97961->97845 97962->97847 97963->97819 97965 41ac0b 97964->97965 97966 414e40 LdrLoadDll 97965->97966 97967 41ac2b 97966->97967 97968 414e40 LdrLoadDll 97967->97968 97969 41acd7 97967->97969 97968->97969 97969->97862 97970->97941 97972 1362c11 97971->97972 97973 1362c1f LdrInitializeThunk 97971->97973 97972->97722 97973->97722 97975 41a64c RtlFreeHeap 97974->97975 97976 41af20 LdrLoadDll 97974->97976 97975->97725 97976->97975 97978 407eb0 97977->97978 97979 407eab 97977->97979 97980 41bd00 2 API calls 97978->97980 97979->97645 97982 407ed5 97980->97982 97981 407f38 97981->97645 97982->97981 97983 419e80 2 API calls 97982->97983 97984 407f3e 97982->97984 97989 41bd00 2 API calls 97982->97989 97993 41a580 97982->97993 97983->97982 97985 407f64 97984->97985 97987 41a580 2 API calls 97984->97987 97985->97645 97988 407f55 97987->97988 97988->97645 97989->97982 97991 40817e 97990->97991 97992 41a580 2 API calls 97990->97992 97991->97602 97992->97991 97994 41a59c 97993->97994 97995 41af20 LdrLoadDll 97993->97995 97998 1362c70 LdrInitializeThunk 97994->97998 97995->97994 97996 41a5b3 97996->97982 97998->97996 98000 41b583 97999->98000 98003 40ace0 98000->98003 98004 40ad04 98003->98004 98005 40ad40 LdrLoadDll 98004->98005 98006 409c4b 98004->98006 98005->98006 98006->97610 98008 40b053 98007->98008 98010 40b0d0 98008->98010 98022 419c50 LdrLoadDll 98008->98022 98010->97615 98012 41af20 LdrLoadDll 98011->98012 98013 40f1ab 98012->98013 98013->97623 98014 41a790 98013->98014 98015 41af20 LdrLoadDll 98014->98015 98016 41a7af LookupPrivilegeValueW 98015->98016 98016->97619 98018 41af20 LdrLoadDll 98017->98018 98019 41a23c 98018->98019 98023 1362ea0 LdrInitializeThunk 98019->98023 98020 41a25b 98020->97622 98022->98010 98023->98020 98025 40b1e0 98024->98025 98026 40b030 LdrLoadDll 98025->98026 98027 40b1f4 98026->98027 98027->97557 98029 40ae41 98028->98029 98030 40ae3d 98028->98030 98031 40ae5a 98029->98031 98032 40ae8c 98029->98032 98030->97559 98074 419c90 LdrLoadDll 98031->98074 98075 419c90 LdrLoadDll 98032->98075 98034 40ae9d 98034->97559 98036 40ae7c 98036->97559 98038 40f490 3 API calls 98037->98038 98039 4143b6 98037->98039 98038->98039 98039->97561 98076 4087a0 98040->98076 98043 408a9d 98043->97563 98044 4087a0 19 API calls 98045 408a8a 98044->98045 98045->98043 98094 40f700 10 API calls 98045->98094 98048 41af20 LdrLoadDll 98047->98048 98049 41a4dc 98048->98049 98213 1362e80 LdrInitializeThunk 98049->98213 98050 40c312 98052 40f490 98050->98052 98053 40f4ad 98052->98053 98214 419f80 98053->98214 98055 40f4f5 98055->97567 98057 419fd0 2 API calls 98058 40f51e 98057->98058 98058->97567 98060 41af20 LdrLoadDll 98059->98060 98061 419fec 98060->98061 98220 1362d10 LdrInitializeThunk 98061->98220 98062 40c375 98062->97573 98062->97576 98065 41af20 LdrLoadDll 98064->98065 98066 41a03c 98065->98066 98221 1362d30 LdrInitializeThunk 98066->98221 98067 40c449 98067->97584 98070 41af20 LdrLoadDll 98069->98070 98071 419dfc 98070->98071 98222 1362fb0 LdrInitializeThunk 98071->98222 98072 40c49c 98072->97588 98074->98036 98075->98034 98077 407ea0 4 API calls 98076->98077 98081 4087ba 98076->98081 98077->98081 98078 408a49 98078->98043 98078->98044 98079 408a3f 98080 408160 2 API calls 98079->98080 98080->98078 98081->98078 98081->98079 98084 419ec0 2 API calls 98081->98084 98088 40c4b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 98081->98088 98091 419de0 2 API calls 98081->98091 98092 41a450 LdrLoadDll NtClose 98081->98092 98095 419cd0 98081->98095 98098 4085d0 98081->98098 98110 40f5e0 LdrLoadDll NtClose 98081->98110 98111 419d50 LdrLoadDll 98081->98111 98112 419d80 LdrLoadDll 98081->98112 98113 419e10 LdrLoadDll 98081->98113 98114 4083a0 98081->98114 98130 405f60 LdrLoadDll 98081->98130 98084->98081 98088->98081 98091->98081 98092->98081 98094->98043 98096 41af20 LdrLoadDll 98095->98096 98097 419cec 98096->98097 98097->98081 98099 4085e6 98098->98099 98131 419840 98099->98131 98101 4085ff 98109 408771 98101->98109 98152 4081a0 98101->98152 98103 4086e5 98104 4083a0 11 API calls 98103->98104 98103->98109 98105 408713 98104->98105 98106 419ec0 2 API calls 98105->98106 98105->98109 98107 408748 98106->98107 98108 41a4c0 2 API calls 98107->98108 98107->98109 98108->98109 98109->98081 98110->98081 98111->98081 98112->98081 98113->98081 98115 4083c9 98114->98115 98192 408310 98115->98192 98118 41a4c0 2 API calls 98119 4083dc 98118->98119 98119->98118 98120 408467 98119->98120 98123 408462 98119->98123 98200 40f660 98119->98200 98120->98081 98121 41a450 2 API calls 98122 40849a 98121->98122 98122->98120 98124 419cd0 LdrLoadDll 98122->98124 98123->98121 98125 4084ff 98124->98125 98125->98120 98204 419d10 98125->98204 98127 408563 98127->98120 98128 414a40 8 API calls 98127->98128 98129 4085b8 98128->98129 98129->98081 98130->98081 98132 41bf50 2 API calls 98131->98132 98133 419857 98132->98133 98159 409310 98133->98159 98135 419872 98136 4198b0 98135->98136 98137 419899 98135->98137 98140 41bd00 2 API calls 98136->98140 98138 41bd80 2 API calls 98137->98138 98139 4198a6 98138->98139 98139->98101 98141 4198ea 98140->98141 98142 41bd00 2 API calls 98141->98142 98143 419903 98142->98143 98148 419ba4 98143->98148 98165 41bd40 98143->98165 98146 419b90 98147 41bd80 2 API calls 98146->98147 98149 419b9a 98147->98149 98150 41bd80 2 API calls 98148->98150 98149->98101 98151 419bf9 98150->98151 98151->98101 98153 40829f 98152->98153 98154 4081b5 98152->98154 98153->98103 98154->98153 98155 414a40 8 API calls 98154->98155 98156 408222 98155->98156 98157 41bd80 2 API calls 98156->98157 98158 408249 98156->98158 98157->98158 98158->98103 98160 409335 98159->98160 98161 40ace0 LdrLoadDll 98160->98161 98162 409368 98161->98162 98164 40938d 98162->98164 98168 40cf10 98162->98168 98164->98135 98186 41a540 98165->98186 98169 40cf1e 98168->98169 98170 41a1a0 LdrLoadDll 98169->98170 98171 40cf55 98170->98171 98172 40cf5c 98171->98172 98179 41a1e0 98171->98179 98172->98164 98176 40cf97 98177 41a450 2 API calls 98176->98177 98178 40cfba 98177->98178 98178->98164 98180 41af20 LdrLoadDll 98179->98180 98181 41a1fc 98180->98181 98182 40cf7f 98181->98182 98185 1362ca0 LdrInitializeThunk 98181->98185 98182->98172 98184 41a7d0 LdrLoadDll 98182->98184 98184->98176 98185->98182 98187 41af20 LdrLoadDll 98186->98187 98188 41a55c 98187->98188 98191 1362f90 LdrInitializeThunk 98188->98191 98189 419b89 98189->98146 98189->98148 98191->98189 98193 408328 98192->98193 98194 40ace0 LdrLoadDll 98193->98194 98195 408343 98194->98195 98196 414e40 LdrLoadDll 98195->98196 98197 408353 98196->98197 98198 40835c PostThreadMessageW 98197->98198 98199 408370 98197->98199 98198->98199 98199->98119 98201 40f673 98200->98201 98207 419e50 98201->98207 98205 419d2c 98204->98205 98206 41af20 LdrLoadDll 98204->98206 98205->98127 98206->98205 98208 41af20 LdrLoadDll 98207->98208 98209 419e6c 98208->98209 98212 1362dd0 LdrInitializeThunk 98209->98212 98210 40f69e 98210->98119 98212->98210 98213->98050 98215 419f9c 98214->98215 98216 41af20 LdrLoadDll 98214->98216 98219 1362f30 LdrInitializeThunk 98215->98219 98216->98215 98217 40f4ee 98217->98055 98217->98057 98219->98217 98220->98062 98221->98067 98222->98072 98226 1362ad0 LdrInitializeThunk

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 0 41a3d0-41a3e6 1 41a3ec-41a419 NtReadFile 0->1 2 41a3e7 call 41af20 0->2 2->1
                                                                                                                                          APIs
                                                                                                                                          • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A415
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FileRead
                                                                                                                                          • String ID: !JA$bMA$bMA
                                                                                                                                          • API String ID: 2738559852-4222312340
                                                                                                                                          • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                          • Instruction ID: 54437c4e75339082d0912fbe7e6c9053912bd6928cda1a9760da43cab1c95c7d
                                                                                                                                          • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                          • Instruction Fuzzy Hash: C3F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241D630E8518BA4

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 3 41a3cf-41a419 call 41af20 NtReadFile
                                                                                                                                          APIs
                                                                                                                                          • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A415
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FileRead
                                                                                                                                          • String ID: !JA$bMA$bMA
                                                                                                                                          • API String ID: 2738559852-4222312340
                                                                                                                                          • Opcode ID: 83493c65bca316616b8dfc114b1ffbdd54a0795867dfd906044f271b174545b7
                                                                                                                                          • Instruction ID: f63fd5fe50ff4d6a1b3f8389d0797ee0cbc0004fe0ee8fdcc83f079a0ef2ea39
                                                                                                                                          • Opcode Fuzzy Hash: 83493c65bca316616b8dfc114b1ffbdd54a0795867dfd906044f271b174545b7
                                                                                                                                          • Instruction Fuzzy Hash: CBF03AB6200049ABCB04DF98D890CEB77ADFF8C318B15864DFD1C93202C634E8558BA0

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 234 40ace0-40ad09 call 41cc10 237 40ad0b-40ad0e 234->237 238 40ad0f-40ad12 234->238 239 40ad18-40ad1d 238->239 240 40ad13 call 41d030 238->240 241 40ad2d-40ad3e call 41b460 239->241 242 40ad1f-40ad2a call 41d2b0 239->242 240->239 247 40ad40-40ad54 LdrLoadDll 241->247 248 40ad57-40ad5a 241->248 242->241 247->248
                                                                                                                                          APIs
                                                                                                                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Load
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2234796835-0
                                                                                                                                          • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                          • Instruction ID: 93036d1b31c8ba6342ae8de3f2893f5930aff37f33252288d1eb8296453bc5b5
                                                                                                                                          • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                          • Instruction Fuzzy Hash: FF015EB5E0020DABDB10EBA1DC42FDEB3789F14308F0041AAE908A7281F634EB54CB95

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 249 41a320-41a371 call 41af20 NtCreateFile
                                                                                                                                          APIs
                                                                                                                                          • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CreateFile
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                          • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                          • Instruction ID: 30690d9e011530b668ed3b4ae7cc5c3fda29d367b226dbf4f68f65ca016a7565
                                                                                                                                          • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                          • Instruction Fuzzy Hash: FDF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 265 41a4fa-41a53d call 41af20 NtAllocateVirtualMemory
                                                                                                                                          APIs
                                                                                                                                          • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocateMemoryVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2167126740-0
                                                                                                                                          • Opcode ID: ef6995a657fae72083bb1c0bc3fa4105c1e8c1a14b3ef696040fba565f7a21d6
                                                                                                                                          • Instruction ID: a8a6d48869dd00759c443cf5d4fd495aa4a0569589614e788a56841ee800f3a5
                                                                                                                                          • Opcode Fuzzy Hash: ef6995a657fae72083bb1c0bc3fa4105c1e8c1a14b3ef696040fba565f7a21d6
                                                                                                                                          • Instruction Fuzzy Hash: 8DF08CB2200208AFCB14DF99DC81EEB77ADEF88358F04810AFE0897241C230E810CBE1

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 268 41a500-41a516 269 41a51c-41a53d NtAllocateVirtualMemory 268->269 270 41a517 call 41af20 268->270 270->269
                                                                                                                                          APIs
                                                                                                                                          • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocateMemoryVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2167126740-0
                                                                                                                                          • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                          • Instruction ID: c35769ceed384df61eeb5fc049e905e887b244236103aac277853e7772ac0dd9
                                                                                                                                          • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                          • Instruction Fuzzy Hash: 75F015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241C630F811CBA4
                                                                                                                                          APIs
                                                                                                                                          • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Close
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3535843008-0
                                                                                                                                          • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                          • Instruction ID: e48275ca6f7768b9f0fd4fab79f6d7fda959a909e55c262f35bdb2090c9231ed
                                                                                                                                          • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                          • Instruction Fuzzy Hash: E5D01776200214ABD710EB99DC85EE77BADEF48764F15449ABA189B242C530FA1086E0
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: 419620e49cc3d7b5ea0460e5fc6cbcc6795f20f6f86a06f41c26e851beaee9f5
                                                                                                                                          • Instruction ID: 3ccb2981ee32299ada5993235504bd6abfb8af831f7d16e831cb27d1a9f697ff
                                                                                                                                          • Opcode Fuzzy Hash: 419620e49cc3d7b5ea0460e5fc6cbcc6795f20f6f86a06f41c26e851beaee9f5
                                                                                                                                          • Instruction Fuzzy Hash: B1900265202400039155715C4418616404A97E0205B55C071E1014590DC52989956225
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: a9e8fa6a88adbda2487576827bf29747287aa6023f021d00325cf8ac27bb3a8d
                                                                                                                                          • Instruction ID: f6d93786fd3845eb575a601a4d76b51a82904a1da0a21bb7c80a9a67ee1b223e
                                                                                                                                          • Opcode Fuzzy Hash: a9e8fa6a88adbda2487576827bf29747287aa6023f021d00325cf8ac27bb3a8d
                                                                                                                                          • Instruction Fuzzy Hash: 6C90023520140802E1D0715C440864A004597D1305F95C065A0025654DCA198B5D77A1
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: 9dc34a5a99d7cc26b3ee7018cf73a6442d1370fb40d6c3a15ae58d6d866913a9
                                                                                                                                          • Instruction ID: 5c87d07885ea0c05e13e7dda897f97beb2316fb2f30d06cdd0cc8e4252d43bf6
                                                                                                                                          • Opcode Fuzzy Hash: 9dc34a5a99d7cc26b3ee7018cf73a6442d1370fb40d6c3a15ae58d6d866913a9
                                                                                                                                          • Instruction Fuzzy Hash: FB90043D311400035155F55C070C50700C7D7D5355355C071F1015550CD735CD755331
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: 17cf99d0280b956ca55f7f6b2896ca4d071b2ffcd3cabe57d013dfec604ba6f5
                                                                                                                                          • Instruction ID: 90036dcf36312cb6edbcca6e331b2b03b0526e2ed9ce30b2fafc003e5bff45c8
                                                                                                                                          • Opcode Fuzzy Hash: 17cf99d0280b956ca55f7f6b2896ca4d071b2ffcd3cabe57d013dfec604ba6f5
                                                                                                                                          • Instruction Fuzzy Hash: A990022530140003E190715C541C6064045E7E1305F55D061E0414554CD919895A5322
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: b1977f8458990845b3adbb9869755bc51988ead4cc18d4ca1a35159c745e9e2f
                                                                                                                                          • Instruction ID: 97ef9f7f37572b801620aa32adb736fd6e2d7f2412d12468761cd5f46ffad714
                                                                                                                                          • Opcode Fuzzy Hash: b1977f8458990845b3adbb9869755bc51988ead4cc18d4ca1a35159c745e9e2f
                                                                                                                                          • Instruction Fuzzy Hash: AE90022D21340002E1D0715C540C60A004597D1206F95D465A0015558CC919896D5321
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: cbbe0dd8a51c73a6295758706f8bbac82b0a5da9b03d3fb786d19322154cc224
                                                                                                                                          • Instruction ID: eb74c2e6cf6768f67836ea7374f4fc69b3f2a66ddf29b5b2148a9070a1870f63
                                                                                                                                          • Opcode Fuzzy Hash: cbbe0dd8a51c73a6295758706f8bbac82b0a5da9b03d3fb786d19322154cc224
                                                                                                                                          • Instruction Fuzzy Hash: 9E90023520140413E161715C4508707004997D0245F95C462A0424558DD65A8A56A221
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: f4f069b37fd15d227c054e25053572065b03cb2864f48a3c349d3453498f7567
                                                                                                                                          • Instruction ID: edbb3ed35ba61aefdfcbf8bba7a2ff5858daf6f6a80dc93f7ec483827660936b
                                                                                                                                          • Opcode Fuzzy Hash: f4f069b37fd15d227c054e25053572065b03cb2864f48a3c349d3453498f7567
                                                                                                                                          • Instruction Fuzzy Hash: 2590022524244152A595B15C44085074046A7E0245795C062A1414950CC52A995AD721
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: 3289b75231c2ec448d6cd88ce4a2b815a6f1686a2d1f93ce173de7a66d9014cb
                                                                                                                                          • Instruction ID: 3ebf66f13d794eb4f6abfd4a7418e3f8699a3a66a9b7aeb4b1739ac6be67a408
                                                                                                                                          • Opcode Fuzzy Hash: 3289b75231c2ec448d6cd88ce4a2b815a6f1686a2d1f93ce173de7a66d9014cb
                                                                                                                                          • Instruction Fuzzy Hash: CB90023520148802E160715C840874A004597D0305F59C461A4424658DC69989957221
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: 58e98cecae278fdc77d96d31b036ce643e19d107857813aaf5d2a235b85c7974
                                                                                                                                          • Instruction ID: b796293b31939f7ab7c0255b7017e43c4dcaf75e2cdcdeb73fbbcba8f571de6a
                                                                                                                                          • Opcode Fuzzy Hash: 58e98cecae278fdc77d96d31b036ce643e19d107857813aaf5d2a235b85c7974
                                                                                                                                          • Instruction Fuzzy Hash: 6590023520140402E150759C540C646004597E0305F55D061A5024555EC66989956231
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: bb602ba06c8f73387138f713be67a42e8b8b1394caafc571bed8fd9a32a1ca7f
                                                                                                                                          • Instruction ID: 9c6e86119d88ef68247967cf0ca71b2e6bf9a267d1d63df7d1007ab81603e8bd
                                                                                                                                          • Opcode Fuzzy Hash: bb602ba06c8f73387138f713be67a42e8b8b1394caafc571bed8fd9a32a1ca7f
                                                                                                                                          • Instruction Fuzzy Hash: 4390026534140442E150715C4418B060045D7E1305F55C065E1064554DC61DCD566226
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: 96584dae6b28afae50780e3b4023727e8a51fb39cb44b56005d34acf00fbdee3
                                                                                                                                          • Instruction ID: 1c00bfd765e3a833c42aa89892a16c0ab306eb6a2fbbe75f282c96ed15170538
                                                                                                                                          • Opcode Fuzzy Hash: 96584dae6b28afae50780e3b4023727e8a51fb39cb44b56005d34acf00fbdee3
                                                                                                                                          • Instruction Fuzzy Hash: 44900225601400429190716C88489064045BBE1215755C171A0998550DC55D89695765
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: f9e46c6cad097fdc9bc8f7b6b7fa4e00670214b32db3e0e19e399a22eb853a7a
                                                                                                                                          • Instruction ID: 034b5dec0ff90429f28658e101ce9a4926ab8de31b7b378e5afb202d92f06fce
                                                                                                                                          • Opcode Fuzzy Hash: f9e46c6cad097fdc9bc8f7b6b7fa4e00670214b32db3e0e19e399a22eb853a7a
                                                                                                                                          • Instruction Fuzzy Hash: E190023520180402E150715C481870B004597D0306F55C061A1164555DC62989556671
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: bd2facb94bf07a94cd42802a3892ad0f69475b2505758150f62d27bdb65d69af
                                                                                                                                          • Instruction ID: b6e187c301ef5462c5ee84a9a1defed5e545639d5e8ffa3261774eb4c2fbc244
                                                                                                                                          • Opcode Fuzzy Hash: bd2facb94bf07a94cd42802a3892ad0f69475b2505758150f62d27bdb65d69af
                                                                                                                                          • Instruction Fuzzy Hash: DF900225211C0042E250756C4C18B07004597D0307F55C165A0154554CC91989655621
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: 1c86bb4a7e1461dc48b40f1e3c3d086c82468e226c1793fdf26b9238a2617be0
                                                                                                                                          • Instruction ID: 51874cb310115da8885c221bc14241c872c593f0eaf8ad76d59f47a25c94b7e3
                                                                                                                                          • Opcode Fuzzy Hash: 1c86bb4a7e1461dc48b40f1e3c3d086c82468e226c1793fdf26b9238a2617be0
                                                                                                                                          • Instruction Fuzzy Hash: B890027520140402E190715C4408746004597D0305F55C061A5064554EC65D8ED96765
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: 1142bae6598be7e42889ab5d315938594fd597e1cd870f868b7acba131207da1
                                                                                                                                          • Instruction ID: b213506c0f4aba0bcb8de1db0a624cd5f3a183a6329848aa12481bd3bcdcbb53
                                                                                                                                          • Opcode Fuzzy Hash: 1142bae6598be7e42889ab5d315938594fd597e1cd870f868b7acba131207da1
                                                                                                                                          • Instruction Fuzzy Hash: 5490022560140502E151715C4408616004A97D0245F95C072A1024555ECA298A96A231
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
                                                                                                                                          • Instruction ID: 4f20240aff7f2371bb6e5cfcebb6b85206ba00274494e6c7b70a30fa46eb6871
                                                                                                                                          • Opcode Fuzzy Hash: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
                                                                                                                                          • Instruction Fuzzy Hash: 48213CB2D4420957CB25D664AD52BFF737CAB54314F04007FE949A3182F638BF498BA6

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 6 41a5f0-41a621 call 41af20 RtlAllocateHeap
                                                                                                                                          APIs
                                                                                                                                          • RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A61D
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                          • String ID: &EA
                                                                                                                                          • API String ID: 1279760036-1330915590
                                                                                                                                          • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                          • Instruction ID: 65e1271fa0e6f293e5ca7d904ec396d69fb6d51de338ced040ab1bfa87458b74
                                                                                                                                          • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                          • Instruction Fuzzy Hash: 1DE012B2200208ABDB14EF99DC41EA777ADAF88668F118559BA085B242C630F9118AB0

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 204 408308-40835a call 41be20 call 41c9c0 call 40ace0 call 414e40 213 40835c-40836e PostThreadMessageW 204->213 214 40838e-408392 204->214 215 408370-40838a call 40a470 213->215 216 40838d 213->216 215->216 216->214
                                                                                                                                          APIs
                                                                                                                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: MessagePostThread
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1836367815-0
                                                                                                                                          • Opcode ID: ef5f1d55d011f1a35e2ac5c9df164bbc88453ee731418d9a75fc6a9435caf0dc
                                                                                                                                          • Instruction ID: b4c8f16f54624595394dce0b3504f40269457ea049e2996aa2735aeb8c50a29a
                                                                                                                                          • Opcode Fuzzy Hash: ef5f1d55d011f1a35e2ac5c9df164bbc88453ee731418d9a75fc6a9435caf0dc
                                                                                                                                          • Instruction Fuzzy Hash: 9A01D872A8031877E724AA958C43FFE772CAB40B54F09011EFF04BA1C1D6B8690547EA

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 219 408310-40831f 220 408328-40835a call 41c9c0 call 40ace0 call 414e40 219->220 221 408323 call 41be20 219->221 228 40835c-40836e PostThreadMessageW 220->228 229 40838e-408392 220->229 221->220 230 408370-40838a call 40a470 228->230 231 40838d 228->231 230->231 231->229
                                                                                                                                          APIs
                                                                                                                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: MessagePostThread
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1836367815-0
                                                                                                                                          • Opcode ID: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
                                                                                                                                          • Instruction ID: a0f03ca10d03d1d5c38d3c187be8154ddc7636efa3ebbcfd239e67dddfad06e3
                                                                                                                                          • Opcode Fuzzy Hash: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
                                                                                                                                          • Instruction Fuzzy Hash: B4018471A8032877E720A6959C43FFE776C6B40B54F05012AFF04BA1C1E6A8690546EA

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 252 40acd3-40acdd 253 40ad11-40ad1d call 41d030 252->253 254 40acdf 252->254 257 40ad2d-40ad3e call 41b460 253->257 258 40ad1f-40ad2a call 41d2b0 253->258 254->253 263 40ad40-40ad54 LdrLoadDll 257->263 264 40ad57-40ad5a 257->264 258->257 263->264
                                                                                                                                          APIs
                                                                                                                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Load
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2234796835-0
                                                                                                                                          • Opcode ID: 7a78a57abf046eaf2fe0e8ee4afc00ab0d0b90ac85ec523eacb7086efbdd2b06
                                                                                                                                          • Instruction ID: c1fd8b40f92c63a70ebe02721bb4a8d609419960d13cd0c7f60dfc89d3df379a
                                                                                                                                          • Opcode Fuzzy Hash: 7a78a57abf046eaf2fe0e8ee4afc00ab0d0b90ac85ec523eacb7086efbdd2b06
                                                                                                                                          • Instruction Fuzzy Hash: 2CF090B5E00209BBDB10DAA4DC42FEEB3799F54309F104669A918A6282E634EA548B56

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 271 41a630-41a646 272 41a64c-41a661 RtlFreeHeap 271->272 273 41a647 call 41af20 271->273 273->272
                                                                                                                                          APIs
                                                                                                                                          • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeHeap
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3298025750-0
                                                                                                                                          • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                          • Instruction ID: a31e03847b69acb9206512889bce5d114748d47cfafea9ced6338f279cce3475
                                                                                                                                          • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                          • Instruction Fuzzy Hash: 64E04FB12002046BD714DF59DC45EE777ADEF88754F014559FD0857241C630F910CAF0

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 274 41a790-41a7c4 call 41af20 LookupPrivilegeValueW
                                                                                                                                          APIs
                                                                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: LookupPrivilegeValue
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3899507212-0
                                                                                                                                          • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                          • Instruction ID: b8658252b81b08ed33e4a874e4d8f80b0614426e32f2ee3a7d9107b08e04f012
                                                                                                                                          • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                          • Instruction Fuzzy Hash: 9EE01AB12002086BDB10DF49DC85EE737ADAF88654F018155BA0857241C934E8118BF5

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 277 41a627-41a647 call 41af20 279 41a64c-41a661 RtlFreeHeap 277->279
                                                                                                                                          APIs
                                                                                                                                          • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeHeap
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3298025750-0
                                                                                                                                          • Opcode ID: 8fc01b17513979d7a3b2d38217e8459bec71f246de97fded1b33fb7bd58b6314
                                                                                                                                          • Instruction ID: a8769b87fbd13ccccba7fd13471096a447ad1aba350d02a4c9d17561023f8ee3
                                                                                                                                          • Opcode Fuzzy Hash: 8fc01b17513979d7a3b2d38217e8459bec71f246de97fded1b33fb7bd58b6314
                                                                                                                                          • Instruction Fuzzy Hash: 5FE026B86042804BDB00EFA9E88099777D5FF803187108A4EEC5C47207C235D46ACBB2
                                                                                                                                          APIs
                                                                                                                                          • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A698
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ExitProcess
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 621844428-0
                                                                                                                                          • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                          • Instruction ID: 94fb8da58e6992106aa2b0ab061ea4c6965e877b66759b154152d16d38dd5c99
                                                                                                                                          • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                          • Instruction Fuzzy Hash: B9D017726002187BD620EB99DC85FD777ACDF487A4F0180AABA1C6B242C531FA108AE1
                                                                                                                                          APIs
                                                                                                                                          • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A698
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1777720694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ExitProcess
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 621844428-0
                                                                                                                                          • Opcode ID: aa1c07136cd43c831b90654400703fe85de425a43d17ac240b707da0efc29dc6
                                                                                                                                          • Instruction ID: b21f661e9028c3ffdd16e32d8986191bc3b8ac7d34e2c96c3e34d5c702236501
                                                                                                                                          • Opcode Fuzzy Hash: aa1c07136cd43c831b90654400703fe85de425a43d17ac240b707da0efc29dc6
                                                                                                                                          • Instruction Fuzzy Hash: 24D022F24100002BC220ABA89E81FC733A8AF04314F11805AB82CAB302C434EA515AF5
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: cad408502e377c1023e000a935f8157640def29cc51ad85e3558e9ece5916c5f
                                                                                                                                          • Instruction ID: 0e8ab95ff4da3a0b6f3342055d7c84679018cd90ee0fc12f60fe6d09f08c0c4b
                                                                                                                                          • Opcode Fuzzy Hash: cad408502e377c1023e000a935f8157640def29cc51ad85e3558e9ece5916c5f
                                                                                                                                          • Instruction Fuzzy Hash: 3CB09B719015C5C9EE51F764460C7177D4477D0705F16C071D2030641F473CC1D5E275
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                                                                          • API String ID: 0-2160512332
                                                                                                                                          • Opcode ID: eb26ea17883d05854fc2fe8accf36802fb4188d19b92e0ff7b86962aaa3f96da
                                                                                                                                          • Instruction ID: e7e811b74046becbb3f2b23a4a37724ec8ccda0c95a0c4e27a8258fbf8399324
                                                                                                                                          • Opcode Fuzzy Hash: eb26ea17883d05854fc2fe8accf36802fb4188d19b92e0ff7b86962aaa3f96da
                                                                                                                                          • Instruction Fuzzy Hash: 06926B71608342AFE725DF28C880B6BBBE8FB84758F44492DFA95D7251D770E844CB92
                                                                                                                                          Strings
                                                                                                                                          • double initialized or corrupted critical section, xrefs: 01395508
                                                                                                                                          • Thread is in a state in which it cannot own a critical section, xrefs: 01395543
                                                                                                                                          • Invalid debug info address of this critical section, xrefs: 013954B6
                                                                                                                                          • Thread identifier, xrefs: 0139553A
                                                                                                                                          • Critical section debug info address, xrefs: 0139541F, 0139552E
                                                                                                                                          • 8, xrefs: 013952E3
                                                                                                                                          • corrupted critical section, xrefs: 013954C2
                                                                                                                                          • Critical section address., xrefs: 01395502
                                                                                                                                          • Address of the debug info found in the active list., xrefs: 013954AE, 013954FA
                                                                                                                                          • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0139540A, 01395496, 01395519
                                                                                                                                          • undeleted critical section in freed memory, xrefs: 0139542B
                                                                                                                                          • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 013954CE
                                                                                                                                          • Critical section address, xrefs: 01395425, 013954BC, 01395534
                                                                                                                                          • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 013954E2
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                                                          • API String ID: 0-2368682639
                                                                                                                                          • Opcode ID: c6348a733167d009fa5ecd35c00a42c1a1e0ff13d8a44cdb756b2ba86172ea7d
                                                                                                                                          • Instruction ID: c14227079acc08c455e99348dc7360b689b665a61311c4f825cc9e421e18a886
                                                                                                                                          • Opcode Fuzzy Hash: c6348a733167d009fa5ecd35c00a42c1a1e0ff13d8a44cdb756b2ba86172ea7d
                                                                                                                                          • Instruction Fuzzy Hash: C6818C70E40348EFDF21CF9AC841BAEBBF9AB48718F10419AE604B7691D371A941CB60
                                                                                                                                          Strings
                                                                                                                                          • @, xrefs: 0139259B
                                                                                                                                          • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01392506
                                                                                                                                          • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01392498
                                                                                                                                          • RtlpResolveAssemblyStorageMapEntry, xrefs: 0139261F
                                                                                                                                          • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 013922E4
                                                                                                                                          • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01392412
                                                                                                                                          • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01392624
                                                                                                                                          • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 013924C0
                                                                                                                                          • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01392409
                                                                                                                                          • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 013925EB
                                                                                                                                          • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01392602
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                                                                          • API String ID: 0-4009184096
                                                                                                                                          • Opcode ID: 65729169c0595473e8bc9e9d49187fe0c82f66fc0ef5c3e6129b0391ac4e670a
                                                                                                                                          • Instruction ID: c144ac81b85724fe606b7e484cf5c9890a49b400bf3d6b47b27a3deb0c49cb9f
                                                                                                                                          • Opcode Fuzzy Hash: 65729169c0595473e8bc9e9d49187fe0c82f66fc0ef5c3e6129b0391ac4e670a
                                                                                                                                          • Instruction Fuzzy Hash: 0A0282F1D006299BDF61DB58CC80BDAB7B8AF54708F4041D9EA49B7242D770AE84CF99
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                                                                          • API String ID: 0-2515994595
                                                                                                                                          • Opcode ID: 40fe5f7481a2441367ac60cd7a00003545bae64d7ae71427e7a9b222e88120c8
                                                                                                                                          • Instruction ID: e2be8c54c729a9cdda024bdac760c70ab6f1b8d8cd0a3c33dbcef49a0bbf1c6b
                                                                                                                                          • Opcode Fuzzy Hash: 40fe5f7481a2441367ac60cd7a00003545bae64d7ae71427e7a9b222e88120c8
                                                                                                                                          • Instruction Fuzzy Hash: 8E51D0715143159BC729DF1C8848BABBBECEF94A58F14896DEA59C3240E770DA08CB92
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                                                                          • API String ID: 0-1700792311
                                                                                                                                          • Opcode ID: 2a416879872ea54749bff52a3e40c69a818627b9c116470dbe4013b3799a21cf
                                                                                                                                          • Instruction ID: 2fa8beb86d9548ee8fbb9fec6d2284a73e4337d338384b288f677789aedd2ea0
                                                                                                                                          • Opcode Fuzzy Hash: 2a416879872ea54749bff52a3e40c69a818627b9c116470dbe4013b3799a21cf
                                                                                                                                          • Instruction Fuzzy Hash: E8D1CD36600686DFDB2ADF6CE440AADFBF2FF49B18F088059F9459B656C7349941CB10
                                                                                                                                          Strings
                                                                                                                                          • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 013A8A67
                                                                                                                                          • VerifierFlags, xrefs: 013A8C50
                                                                                                                                          • VerifierDlls, xrefs: 013A8CBD
                                                                                                                                          • AVRF: -*- final list of providers -*- , xrefs: 013A8B8F
                                                                                                                                          • VerifierDebug, xrefs: 013A8CA5
                                                                                                                                          • HandleTraces, xrefs: 013A8C8F
                                                                                                                                          • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 013A8A3D
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                                                                          • API String ID: 0-3223716464
                                                                                                                                          • Opcode ID: 086af3a29ab361d34f1a8e522bc05db31041296d5637c251802c8e532d047307
                                                                                                                                          • Instruction ID: de05099a36a0540fa95bb794940a7a1974e5c5836eed5b8a3db14ae85828b5b9
                                                                                                                                          • Opcode Fuzzy Hash: 086af3a29ab361d34f1a8e522bc05db31041296d5637c251802c8e532d047307
                                                                                                                                          • Instruction Fuzzy Hash: FF913672641306EFD721EF6CC890B9AB7E8EB95B1CF850598FA416F260D770AD00CB95
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                                                                                          • API String ID: 0-1109411897
                                                                                                                                          • Opcode ID: e2ec3fb32637317746dc5baab75edcb624c11195e2c7eac1c1e2165406fb7b20
                                                                                                                                          • Instruction ID: c13ebd01276578be23d8e9148bcba982631d62786b56bdbc338a2e648503dc31
                                                                                                                                          • Opcode Fuzzy Hash: e2ec3fb32637317746dc5baab75edcb624c11195e2c7eac1c1e2165406fb7b20
                                                                                                                                          • Instruction Fuzzy Hash: 1AA24B74A0562ACFDB64EF18CC987A9BBB9BF45308F1442E9D90DA7650DB309E84CF40
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                                                          • API String ID: 0-792281065
                                                                                                                                          • Opcode ID: 8dbb5a01f4499d78f2d8fab4f02efb00e2fb4f614aa9368e5206f67f47aaa0f3
                                                                                                                                          • Instruction ID: 8067df3c125e2415c0f4f64f56f47768ca63eb5a20e02551642fb7495b9d6311
                                                                                                                                          • Opcode Fuzzy Hash: 8dbb5a01f4499d78f2d8fab4f02efb00e2fb4f614aa9368e5206f67f47aaa0f3
                                                                                                                                          • Instruction Fuzzy Hash: 999142B0B003169BEF36DF18D946BAA7BA5FB41F2CF40416CE9107B695D7B09802C790
                                                                                                                                          Strings
                                                                                                                                          • minkernel\ntdll\ldrinit.c, xrefs: 01379A11, 01379A3A
                                                                                                                                          • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 013799ED
                                                                                                                                          • apphelp.dll, xrefs: 01316496
                                                                                                                                          • LdrpInitShimEngine, xrefs: 013799F4, 01379A07, 01379A30
                                                                                                                                          • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01379A01
                                                                                                                                          • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01379A2A
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                          • API String ID: 0-204845295
                                                                                                                                          • Opcode ID: d812d01f3c7c41cf83efdfff1cedbfd23822feac33962bb7f0fe22ea6332c5c1
                                                                                                                                          • Instruction ID: 32b512587788c4caee65e3609f202a6720b6a3dfb6ee1354f11485f644b7645b
                                                                                                                                          • Opcode Fuzzy Hash: d812d01f3c7c41cf83efdfff1cedbfd23822feac33962bb7f0fe22ea6332c5c1
                                                                                                                                          • Instruction Fuzzy Hash: 3A51F271208305DFE735EF28C851BAB77E8FB8465CF00492DF5859B2A4DA74E944CB92
                                                                                                                                          Strings
                                                                                                                                          • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01392178
                                                                                                                                          • SXS: %s() passed the empty activation context, xrefs: 01392165
                                                                                                                                          • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0139219F
                                                                                                                                          • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01392180
                                                                                                                                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 013921BF
                                                                                                                                          • RtlGetAssemblyStorageRoot, xrefs: 01392160, 0139219A, 013921BA
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                                                          • API String ID: 0-861424205
                                                                                                                                          • Opcode ID: baa069775c1c0f6de9fbb5cb49a5f166a96f238f42be441c524668b201f3b47b
                                                                                                                                          • Instruction ID: 2aa8e58f9ace415c4d73ef7d5c178a0281f7ec42356a4be40604c23e2981e624
                                                                                                                                          • Opcode Fuzzy Hash: baa069775c1c0f6de9fbb5cb49a5f166a96f238f42be441c524668b201f3b47b
                                                                                                                                          • Instruction Fuzzy Hash: 2C31E57AB40215B7FB22DA9A8C81F5B7ABCDB65E5CF050059FE04A7241D370AA00C7A1
                                                                                                                                          Strings
                                                                                                                                          • minkernel\ntdll\ldrredirect.c, xrefs: 01398181, 013981F5
                                                                                                                                          • minkernel\ntdll\ldrinit.c, xrefs: 0135C6C3
                                                                                                                                          • Loading import redirection DLL: '%wZ', xrefs: 01398170
                                                                                                                                          • Unable to build import redirection Table, Status = 0x%x, xrefs: 013981E5
                                                                                                                                          • LdrpInitializeProcess, xrefs: 0135C6C4
                                                                                                                                          • LdrpInitializeImportRedirection, xrefs: 01398177, 013981EB
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                                                          • API String ID: 0-475462383
                                                                                                                                          • Opcode ID: 8aa77b59d50a9385e6b4d095ded03167accfe9889465a34cdc12c52cb8058469
                                                                                                                                          • Instruction ID: 6076f6a58c2d347012190ae3908cab715cb7e4dc0166114f8b02a663aae73e54
                                                                                                                                          • Opcode Fuzzy Hash: 8aa77b59d50a9385e6b4d095ded03167accfe9889465a34cdc12c52cb8058469
                                                                                                                                          • Instruction Fuzzy Hash: 173104716443069FD310EF2CD846E1B77D4EF95B2CF050558F9406B2A1E660ED04C7A2
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 01362DF0: LdrInitializeThunk.NTDLL ref: 01362DFA
                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01360BA3
                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01360BB6
                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01360D60
                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01360D74
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1404860816-0
                                                                                                                                          • Opcode ID: bb6c4f453979f22a18c723bc1bf54e3f47556e78d95c59245e23c1cf6ee097fe
                                                                                                                                          • Instruction ID: 484d6ee57be61a89f30876a0244f4dd02b894f53f658a24473b6ab5672a59939
                                                                                                                                          • Opcode Fuzzy Hash: bb6c4f453979f22a18c723bc1bf54e3f47556e78d95c59245e23c1cf6ee097fe
                                                                                                                                          • Instruction Fuzzy Hash: 3D426C71900715DFDB25CF28C881BAAB7F9FF44318F1485AAE989DB245E770A984CF60
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                                                          • API String ID: 0-379654539
                                                                                                                                          • Opcode ID: c059a3ec45be1197e43fe36894847b3772b938145519f286e2f4826e04b7c84b
                                                                                                                                          • Instruction ID: 3fd146940b9add92f7a0570537a9717ba92fe51604d9b4d7fd7a9fda1fd1b51b
                                                                                                                                          • Opcode Fuzzy Hash: c059a3ec45be1197e43fe36894847b3772b938145519f286e2f4826e04b7c84b
                                                                                                                                          • Instruction Fuzzy Hash: 8AC1AA70108396CFD721EF58C140B6BBBE8BF84708F00896AF9959BB50E734C949CB92
                                                                                                                                          Strings
                                                                                                                                          • minkernel\ntdll\ldrinit.c, xrefs: 01358421
                                                                                                                                          • @, xrefs: 01358591
                                                                                                                                          • LdrpInitializeProcess, xrefs: 01358422
                                                                                                                                          • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0135855E
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                                                          • API String ID: 0-1918872054
                                                                                                                                          • Opcode ID: 22df296da8bfe8e00e625267fe35015407a25fbf71dba37f846c6a98f968ac21
                                                                                                                                          • Instruction ID: 9a95a4cc987c87b8b77fa5bd358efe036244310d1396a0a08c063e7b6f98be4c
                                                                                                                                          • Opcode Fuzzy Hash: 22df296da8bfe8e00e625267fe35015407a25fbf71dba37f846c6a98f968ac21
                                                                                                                                          • Instruction Fuzzy Hash: 5E916E71508345AFDB21DF66C840FABBAECEF84B5CF40496EFA8492151D734D944CB62
                                                                                                                                          Strings
                                                                                                                                          • SXS: %s() passed the empty activation context, xrefs: 013921DE
                                                                                                                                          • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 013921D9, 013922B1
                                                                                                                                          • .Local, xrefs: 013528D8
                                                                                                                                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 013922B6
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                                                                          • API String ID: 0-1239276146
                                                                                                                                          • Opcode ID: fd28e4afbf87c05073acc826c616113ab95f6af45715b5c034d1af23bb78a5a0
                                                                                                                                          • Instruction ID: 74dc10f90bc0999d74917b0e4f804c1b4aba85ee2d3b4764e3a4c956a282d677
                                                                                                                                          • Opcode Fuzzy Hash: fd28e4afbf87c05073acc826c616113ab95f6af45715b5c034d1af23bb78a5a0
                                                                                                                                          • Instruction Fuzzy Hash: F4A1BE35900229DBDF65CF68D884BAAB7B4BF58718F1541EAED48AB351D7309E80CF90
                                                                                                                                          Strings
                                                                                                                                          • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0138106B
                                                                                                                                          • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01380FE5
                                                                                                                                          • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01381028
                                                                                                                                          • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 013810AE
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                                                          • API String ID: 0-1468400865
                                                                                                                                          • Opcode ID: a2ea71a7d5deefe7d77384002fcf269ebf8cc363d92d92dc63d97e1ed06f7735
                                                                                                                                          • Instruction ID: 676142b58429e587ac1eb494f97bf8b3767d15086f1c2dc3f880ccc9c372db0e
                                                                                                                                          • Opcode Fuzzy Hash: a2ea71a7d5deefe7d77384002fcf269ebf8cc363d92d92dc63d97e1ed06f7735
                                                                                                                                          • Instruction Fuzzy Hash: DD71CDB19043159FCB21EF18C885B9B7BACEF94768F504468FD488B24AD334D588CBD2
                                                                                                                                          Strings
                                                                                                                                          • minkernel\ntdll\ldrinit.c, xrefs: 0138A9A2
                                                                                                                                          • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0138A992
                                                                                                                                          • apphelp.dll, xrefs: 01342462
                                                                                                                                          • LdrpDynamicShimModule, xrefs: 0138A998
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                          • API String ID: 0-176724104
                                                                                                                                          • Opcode ID: c61f9f023d960ec8054fe95dab6a55e38a78f7f4cbc0f084daac76f2871d0aa9
                                                                                                                                          • Instruction ID: dc3c10f327559a4219ee36294ababa455a5b709a2a3623ea40cd4f13bb2ca051
                                                                                                                                          • Opcode Fuzzy Hash: c61f9f023d960ec8054fe95dab6a55e38a78f7f4cbc0f084daac76f2871d0aa9
                                                                                                                                          • Instruction Fuzzy Hash: B3314A75600305ABDB31AF9DD845A6ABBF4FB84B1CF16405EF90077265C7B49941C740
                                                                                                                                          Strings
                                                                                                                                          • HEAP[%wZ]: , xrefs: 01333255
                                                                                                                                          • HEAP: , xrefs: 01333264
                                                                                                                                          • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0133327D
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                                                                          • API String ID: 0-617086771
                                                                                                                                          • Opcode ID: 17d0a0b2a1c70d2fb07b893c24089001ec9a9e07470dfde8168cf779c1340c3e
                                                                                                                                          • Instruction ID: 518fab117cb84bdd5dc568871a3ad7b16e64934f589f7ec1da7b739f6027321b
                                                                                                                                          • Opcode Fuzzy Hash: 17d0a0b2a1c70d2fb07b893c24089001ec9a9e07470dfde8168cf779c1340c3e
                                                                                                                                          • Instruction Fuzzy Hash: B692CB70A04249DFEB25CF68C444BAEBBF1FF88318F188059E85AAB791D734A945CF54
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                          • API String ID: 0-4253913091
                                                                                                                                          • Opcode ID: 565cc8d9a876019af8fd91268629c61f4234682fdc574d0fae93b3e65084c6e6
                                                                                                                                          • Instruction ID: ff2ac5f0cc0275ff43952139ad472a427e0fa954d75c03c3f7271d06ca97598b
                                                                                                                                          • Opcode Fuzzy Hash: 565cc8d9a876019af8fd91268629c61f4234682fdc574d0fae93b3e65084c6e6
                                                                                                                                          • Instruction Fuzzy Hash: 77F1AE7060060ADFEB29DF68C894B6ABBF5FF84308F148168E5169B791D734E981CB94
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID: $@
                                                                                                                                          • API String ID: 2994545307-1077428164
                                                                                                                                          • Opcode ID: 2c21924f42a7a226898046a922789d9c75d9b5ab9a3930bfa4e7dac0fb791c5e
                                                                                                                                          • Instruction ID: 479319abe8dc1df91876d4be43b812f97a9dda925d881bb07ea82c600fd0db74
                                                                                                                                          • Opcode Fuzzy Hash: 2c21924f42a7a226898046a922789d9c75d9b5ab9a3930bfa4e7dac0fb791c5e
                                                                                                                                          • Instruction Fuzzy Hash: 81C281716083459FEB25CF28C841BABBBE5BF89758F04892DF989C7241D734E845CB62
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: FilterFullPath$UseFilter$\??\
                                                                                                                                          • API String ID: 0-2779062949
                                                                                                                                          • Opcode ID: 4425a6ba8e7bfbfaba2df5e2fac35f1622c597759039cf1a311add7be42fad30
                                                                                                                                          • Instruction ID: 57ec5a804c14808487bf2fc1631c99943d7efaba9b1814081f0473887c655d26
                                                                                                                                          • Opcode Fuzzy Hash: 4425a6ba8e7bfbfaba2df5e2fac35f1622c597759039cf1a311add7be42fad30
                                                                                                                                          • Instruction Fuzzy Hash: 51A1747191162A9BDF31DF58CC88BEAB7B8EF48708F1041E9D909A7250D7399E85CF50
                                                                                                                                          Strings
                                                                                                                                          • minkernel\ntdll\ldrinit.c, xrefs: 0138A121
                                                                                                                                          • LdrpCheckModule, xrefs: 0138A117
                                                                                                                                          • Failed to allocated memory for shimmed module list, xrefs: 0138A10F
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                                                                          • API String ID: 0-161242083
                                                                                                                                          • Opcode ID: a564f5c6a81cc652ab3df9f4a9dbc6931d99bfad0d7361ac15188485e5a5e969
                                                                                                                                          • Instruction ID: 458d3f22ecbf2141749e64ba1da8c43205ed1cd4136266374398269ef749f36a
                                                                                                                                          • Opcode Fuzzy Hash: a564f5c6a81cc652ab3df9f4a9dbc6931d99bfad0d7361ac15188485e5a5e969
                                                                                                                                          • Instruction Fuzzy Hash: 0D71AF70B00306DFDF29EFACC981AAEB7F4FB44608F15406DE902AB655E674AD42CB54
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                                                                          • API String ID: 0-1334570610
                                                                                                                                          • Opcode ID: 550e41048bcac045c60e9e36effa7ae7748e78bd478fea289f51c79cb955e213
                                                                                                                                          • Instruction ID: 257067798a9af563b9654db54644cf5859ac591ebaa963bcd4d099e21515203b
                                                                                                                                          • Opcode Fuzzy Hash: 550e41048bcac045c60e9e36effa7ae7748e78bd478fea289f51c79cb955e213
                                                                                                                                          • Instruction Fuzzy Hash: 9F61BE706003059FDB2DDF28C480B6ABBE5FF85708F148569E4998F696D7B0E881CB95
                                                                                                                                          Strings
                                                                                                                                          • minkernel\ntdll\ldrinit.c, xrefs: 013982E8
                                                                                                                                          • Failed to reallocate the system dirs string !, xrefs: 013982D7
                                                                                                                                          • LdrpInitializePerUserWindowsDirectory, xrefs: 013982DE
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                                                                          • API String ID: 0-1783798831
                                                                                                                                          • Opcode ID: e58a2b259bd83af6940ce9fc8d7fdf0bfa710bf49f1f276356d3f54c24349830
                                                                                                                                          • Instruction ID: 34fc0dbff3e1d260a3796f75093b2bcc0ece5eb6ee95a47a41b170ec9f25efc7
                                                                                                                                          • Opcode Fuzzy Hash: e58a2b259bd83af6940ce9fc8d7fdf0bfa710bf49f1f276356d3f54c24349830
                                                                                                                                          • Instruction Fuzzy Hash: 2C41DF72544305AFDB21EB68D844F5B7BECEF89A5CF01492AF948D76A4E770E800CB91
                                                                                                                                          Strings
                                                                                                                                          • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 013DC1C5
                                                                                                                                          • PreferredUILanguages, xrefs: 013DC212
                                                                                                                                          • @, xrefs: 013DC1F1
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                                                                          • API String ID: 0-2968386058
                                                                                                                                          • Opcode ID: 25351272c9b3bee026816f6f4820d7a8c462df05b9ff13bebeaff8bdac96d451
                                                                                                                                          • Instruction ID: 003cb3d808f0d76a95c82b5ce2ce41ac4a5473b308ba5c06688c958a09393157
                                                                                                                                          • Opcode Fuzzy Hash: 25351272c9b3bee026816f6f4820d7a8c462df05b9ff13bebeaff8bdac96d451
                                                                                                                                          • Instruction Fuzzy Hash: 7C417172E1020AEBDF11DBD8D891FEEBBBDAB14708F14416EE609B7284D7749A44CB50
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                                                                          • API String ID: 0-1373925480
                                                                                                                                          • Opcode ID: 361f18c2bf65bb49a01231b12f1ec12530eb88cf0bed851ae73e3a6bd9ba4c98
                                                                                                                                          • Instruction ID: 5f499cd01f13b5b32bedcd31185f67f523c7997f1744954502b4880479f6d253
                                                                                                                                          • Opcode Fuzzy Hash: 361f18c2bf65bb49a01231b12f1ec12530eb88cf0bed851ae73e3a6bd9ba4c98
                                                                                                                                          • Instruction Fuzzy Hash: EF411831A04658CBEB25DBD8C884BEDBBB8FF55348F140469DA02EFB92E7349901CB54
                                                                                                                                          Strings
                                                                                                                                          • minkernel\ntdll\ldrredirect.c, xrefs: 013A4899
                                                                                                                                          • LdrpCheckRedirection, xrefs: 013A488F
                                                                                                                                          • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 013A4888
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                                                          • API String ID: 0-3154609507
                                                                                                                                          • Opcode ID: 47220f3e829f3560652c59b3cf1d37452cc8fd3831f70e7c862613b7e6cc0bec
                                                                                                                                          • Instruction ID: f798a50f0b79ecbd5ed770a8847472750fe44eafb73918a90117ae8ea961eb1d
                                                                                                                                          • Opcode Fuzzy Hash: 47220f3e829f3560652c59b3cf1d37452cc8fd3831f70e7c862613b7e6cc0bec
                                                                                                                                          • Instruction Fuzzy Hash: 4441D432A042919FCB21CF5CE840A267FE9EF49A58F4A066DED69D7311D7B2D800CB91
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                          • API String ID: 0-2558761708
                                                                                                                                          • Opcode ID: 9ca79506f567a64e3d27a7229c202e7357a00f66bd03f42d5ff836a75d8e81bc
                                                                                                                                          • Instruction ID: 18e20dc2f4e5b4370d2c5d7bc3b9cc8d4c1c54ff53e8dd6b18b523e3bc4665a6
                                                                                                                                          • Opcode Fuzzy Hash: 9ca79506f567a64e3d27a7229c202e7357a00f66bd03f42d5ff836a75d8e81bc
                                                                                                                                          • Instruction Fuzzy Hash: E711AC313252469FDB2DEB1CC445B6AF3A9EF8061EF188269F406DBA55DB30D841CB58
                                                                                                                                          Strings
                                                                                                                                          • minkernel\ntdll\ldrinit.c, xrefs: 013A2104
                                                                                                                                          • LdrpInitializationFailure, xrefs: 013A20FA
                                                                                                                                          • Process initialization failed with status 0x%08lx, xrefs: 013A20F3
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                                                                          • API String ID: 0-2986994758
                                                                                                                                          • Opcode ID: 3cb7cdd451afff864ce8bbefaa928f76addb638f37d4a0ed5b1db837f2e394af
                                                                                                                                          • Instruction ID: 36992e2b2341c4ba6d266cfa9471ba3f75158842796b177bca8e4cb7db4bb057
                                                                                                                                          • Opcode Fuzzy Hash: 3cb7cdd451afff864ce8bbefaa928f76addb638f37d4a0ed5b1db837f2e394af
                                                                                                                                          • Instruction Fuzzy Hash: 9AF0C239640309AFE725EA4DDC56F9A3BA8EB41B5CF900069FB006B295D6B0AA40C791
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ___swprintf_l
                                                                                                                                          • String ID: #%u
                                                                                                                                          • API String ID: 48624451-232158463
                                                                                                                                          • Opcode ID: 872c357b6d17ad1e62e60cbba1c8fd271f4f90986daf23cb11d6dc565233e186
                                                                                                                                          • Instruction ID: e6fb012c03232e9169c98e25a244868f97e831a923e9887f6ccb91bbf01485e9
                                                                                                                                          • Opcode Fuzzy Hash: 872c357b6d17ad1e62e60cbba1c8fd271f4f90986daf23cb11d6dc565233e186
                                                                                                                                          • Instruction Fuzzy Hash: E2716A71A0024A9FDB05DFACC984BAEB7F8FF48308F144065E905E7251EA38EE45CB64
                                                                                                                                          Strings
                                                                                                                                          • LdrResSearchResource Enter, xrefs: 0132AA13
                                                                                                                                          • LdrResSearchResource Exit, xrefs: 0132AA25
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                                                                          • API String ID: 0-4066393604
                                                                                                                                          • Opcode ID: f28be40efe498f28f1d4668f75998c228df5abbe3576b30f150ed144534033fc
                                                                                                                                          • Instruction ID: 97f77f4a27145f4e1813aa3cc03cb391c4200113dfa131a3914eedbf28f8372d
                                                                                                                                          • Opcode Fuzzy Hash: f28be40efe498f28f1d4668f75998c228df5abbe3576b30f150ed144534033fc
                                                                                                                                          • Instruction Fuzzy Hash: 3AE16E71E00229AFEF22EB9DC980BAEBBB9FF44718F104426E901E7A51D774D941CB50
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: `$`
                                                                                                                                          • API String ID: 0-197956300
                                                                                                                                          • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                          • Instruction ID: 65873c206377b9ce4c56d0a35b12c5e8ad6c6f058001f28053816eea0154c803
                                                                                                                                          • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                          • Instruction Fuzzy Hash: A5C1CE312043569BEB24CF28C849B6BBBE5AFD431CF084A2CF6968B2D0D774D505CB81
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID: Legacy$UEFI
                                                                                                                                          • API String ID: 2994545307-634100481
                                                                                                                                          • Opcode ID: 8bc817c970118e1774c9258fa340c440c3ff77129198323aa7a3cf93db65ff21
                                                                                                                                          • Instruction ID: 376873ae2ccd5d1df4b99e726c5f862bc7975d8e2e45a34a81557c86b300fe6e
                                                                                                                                          • Opcode Fuzzy Hash: 8bc817c970118e1774c9258fa340c440c3ff77129198323aa7a3cf93db65ff21
                                                                                                                                          • Instruction Fuzzy Hash: 0F615C72E046199FDF15DFA8C840BAEBBB9FB48B08F14407DE649EB291D731A940CB50
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: @$MUI
                                                                                                                                          • API String ID: 0-17815947
                                                                                                                                          • Opcode ID: 77c032baf844ae53ffb308ab0fe234b82f7fdc701e3562dec17936020c01d3bc
                                                                                                                                          • Instruction ID: 9e012a4ddfdc34492eae708cd9e21aa087e4e77d1f339e80fa3f1fbf447af142
                                                                                                                                          • Opcode Fuzzy Hash: 77c032baf844ae53ffb308ab0fe234b82f7fdc701e3562dec17936020c01d3bc
                                                                                                                                          • Instruction Fuzzy Hash: 2051F971D0021DAFDF11DFA9CC90AEEBBBDEB54B58F104529E611B7290D6349D05CB60
                                                                                                                                          Strings
                                                                                                                                          • kLsE, xrefs: 01320540
                                                                                                                                          • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0132063D
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                                                          • API String ID: 0-2547482624
                                                                                                                                          • Opcode ID: e438a520f2934a3c008a4a6c31e95756faaa55f07514b28ef2237c7c643488eb
                                                                                                                                          • Instruction ID: 54a98467b1b6b25345c6c4eff8aa9f5939e51774586baecb4dab316a1ea2fae2
                                                                                                                                          • Opcode Fuzzy Hash: e438a520f2934a3c008a4a6c31e95756faaa55f07514b28ef2237c7c643488eb
                                                                                                                                          • Instruction Fuzzy Hash: 6251AF715047568BD738EF68C5446A7BBE4EF84318F20483EFAAA87241E770D549CB91
                                                                                                                                          Strings
                                                                                                                                          • RtlpResUltimateFallbackInfo Exit, xrefs: 0132A309
                                                                                                                                          • RtlpResUltimateFallbackInfo Enter, xrefs: 0132A2FB
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                                                          • API String ID: 0-2876891731
                                                                                                                                          • Opcode ID: 89b0593d8b4a03b617ce59befabfb14727fe6996be9be65030202e3a38004b2a
                                                                                                                                          • Instruction ID: 62866ba00b84497c87acb66dd64b31fcad86337cb86264b033db7062b1c5b15e
                                                                                                                                          • Opcode Fuzzy Hash: 89b0593d8b4a03b617ce59befabfb14727fe6996be9be65030202e3a38004b2a
                                                                                                                                          • Instruction Fuzzy Hash: 4A41C130A05769DBDB16EF5DC440B6EBBB8FF84708F144069EA00DBA51E375D900CB50
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID: Cleanup Group$Threadpool!
                                                                                                                                          • API String ID: 2994545307-4008356553
                                                                                                                                          • Opcode ID: 9346bb693467ec2125bb4735888e77354a7b4f4a7b1d25016826a945e5322e5e
                                                                                                                                          • Instruction ID: f302ebe947ba500f0754c54bf7ee9e657df183f31105cb78ea586942646b568e
                                                                                                                                          • Opcode Fuzzy Hash: 9346bb693467ec2125bb4735888e77354a7b4f4a7b1d25016826a945e5322e5e
                                                                                                                                          • Instruction Fuzzy Hash: 0901F4B2250704AFD351DF24CD45F1677E8E794B29F018A3DAA5CC7190E374D804DB96
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: MUI
                                                                                                                                          • API String ID: 0-1339004836
                                                                                                                                          • Opcode ID: 4b07222425b15d2bf9846c0eb8011a9949617fdada2ffcd018d024f67cdc1924
                                                                                                                                          • Instruction ID: 3549095e7c95456af225bc7c1287e99edd47b88df95dd80feb00b04966277058
                                                                                                                                          • Opcode Fuzzy Hash: 4b07222425b15d2bf9846c0eb8011a9949617fdada2ffcd018d024f67cdc1924
                                                                                                                                          • Instruction Fuzzy Hash: DB826C75E002289FEB25EFADC880BEDBBB5BF48718F148169D919AB351DB309D41CB50
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 0-3916222277
                                                                                                                                          • Opcode ID: a6766c1bf3d59c76856ca51b09123321adb6544b94f8368209d9ca0b56f70e12
                                                                                                                                          • Instruction ID: ad468f39e297df7c45fdb7fae1ce7e603a3299054a8420a4422abe3e97a36240
                                                                                                                                          • Opcode Fuzzy Hash: a6766c1bf3d59c76856ca51b09123321adb6544b94f8368209d9ca0b56f70e12
                                                                                                                                          • Instruction Fuzzy Hash: 369184B1A00219AFEB21DF99CD85FAEBBB8EF54758F544055F600BB191D774AD00CBA0
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 0-3916222277
                                                                                                                                          • Opcode ID: c6dd656158948be40aeb8f89adc1ead60a7af73c72da4fbd9308885586153392
                                                                                                                                          • Instruction ID: 877f980e9d4bcc3eb66e3677c0086ec27cc87e9de0e1700ef56385e6ee29b71f
                                                                                                                                          • Opcode Fuzzy Hash: c6dd656158948be40aeb8f89adc1ead60a7af73c72da4fbd9308885586153392
                                                                                                                                          • Instruction Fuzzy Hash: EF917072901609AFDB22ABA9DC44FAFBF7EEF85B58F100029F505A7250D775AD01CB50
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: GlobalTags
                                                                                                                                          • API String ID: 0-1106856819
                                                                                                                                          • Opcode ID: 58d5946e3fcc2a3665ccc47f6ce5b6759f63a3d7402f5b5901fba6a563452764
                                                                                                                                          • Instruction ID: d21ab167605fa5d4e16da4e53bb8e6f52e82804532f802f03ccb129ff9460c9b
                                                                                                                                          • Opcode Fuzzy Hash: 58d5946e3fcc2a3665ccc47f6ce5b6759f63a3d7402f5b5901fba6a563452764
                                                                                                                                          • Instruction Fuzzy Hash: E67181B5E0520ADFDF28CF9CD591AADBBB1BF48718F14812EE905AB241E7309841CB60
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: .mui
                                                                                                                                          • API String ID: 0-1199573805
                                                                                                                                          • Opcode ID: dd6313d0cc09a7dbc947c22e8f2c87d90f85e6f0d75cd9f050e26c4f98371c17
                                                                                                                                          • Instruction ID: adfb0a929a8d392e891c319a0d3cb70626807ec9902e19149f194de086fea1b4
                                                                                                                                          • Opcode Fuzzy Hash: dd6313d0cc09a7dbc947c22e8f2c87d90f85e6f0d75cd9f050e26c4f98371c17
                                                                                                                                          • Instruction Fuzzy Hash: A0516F76D0022ADFDB10DF9DD850AAEBBB8AF14F58F05412DEA11BB240D7749D01CBA4
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: EXT-
                                                                                                                                          • API String ID: 0-1948896318
                                                                                                                                          • Opcode ID: 037d22c0f60c621cc1fa9593d59db8572d7613b29e022d2f9b0072da5b575ca4
                                                                                                                                          • Instruction ID: 415eb4790015441ec64d8ab5c1938f3cec4c95965e847c21630c5bdd1496192c
                                                                                                                                          • Opcode Fuzzy Hash: 037d22c0f60c621cc1fa9593d59db8572d7613b29e022d2f9b0072da5b575ca4
                                                                                                                                          • Instruction Fuzzy Hash: 1D4180725183569BD721DA79C840BABB7ECAFC871CF44093DFA84E7180E674D904C79A
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: BinaryHash
                                                                                                                                          • API String ID: 0-2202222882
                                                                                                                                          • Opcode ID: 7a8c4551375d0e41645bacdbd3cfa1e5f5a6b775dc3fe5df659783b9bbed89f4
                                                                                                                                          • Instruction ID: 609e439bf584b6618d8d531ba4b3422b4feb0cba28c61f06b0d56d6c52c10b80
                                                                                                                                          • Opcode Fuzzy Hash: 7a8c4551375d0e41645bacdbd3cfa1e5f5a6b775dc3fe5df659783b9bbed89f4
                                                                                                                                          • Instruction Fuzzy Hash: 674144B1D0012DAEDF21DA54CC84FDEB77CAB44718F0045A5AA08AB141DB709E89CFA4
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: #
                                                                                                                                          • API String ID: 0-1885708031
                                                                                                                                          • Opcode ID: 03165374957525af0ce7a5b0ccba2d4f1664bcb14edf6e974d9c6817d815501a
                                                                                                                                          • Instruction ID: 2c465301ef9283c8a8d5097afd761dc4670c7df02579f59e07e592ddeab45ef5
                                                                                                                                          • Opcode Fuzzy Hash: 03165374957525af0ce7a5b0ccba2d4f1664bcb14edf6e974d9c6817d815501a
                                                                                                                                          • Instruction Fuzzy Hash: 61311771E006199ADF22CB6DC891BEE7BB8DF45308F104028EA419B683E775D805CB50
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: BinaryName
                                                                                                                                          • API String ID: 0-215506332
                                                                                                                                          • Opcode ID: b8b3d484c5c4331e63430878f34c326ae29eea24c8322683e5478bc157247d32
                                                                                                                                          • Instruction ID: 86bee1145d87e7a33489a57f41f111285ae992d9ad7075e5ca5b9313bf7a053d
                                                                                                                                          • Opcode Fuzzy Hash: b8b3d484c5c4331e63430878f34c326ae29eea24c8322683e5478bc157247d32
                                                                                                                                          • Instruction Fuzzy Hash: B131E33690051AAFEF16DA5DC855EBFBB78EB80768F018129A905A7291D7309E04DBE0
                                                                                                                                          Strings
                                                                                                                                          • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 013A895E
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                                                                          • API String ID: 0-702105204
                                                                                                                                          • Opcode ID: 2921d5e3661a5881e291d307bc381998766616114117bcf0e76673f036c00aca
                                                                                                                                          • Instruction ID: b204bdf729d09f15d54fd8db7e9795facd3441fe43a52b75897d9ff85aa6d6d3
                                                                                                                                          • Opcode Fuzzy Hash: 2921d5e3661a5881e291d307bc381998766616114117bcf0e76673f036c00aca
                                                                                                                                          • Instruction Fuzzy Hash: 68017632300201ABE6216F1DDC84BEABF69EFC665DB84046CF2411A565CB20A882CB92
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 88b696097a447f60b666b2d467d21329cce70c64a13178664e2e42ef8d264e8c
                                                                                                                                          • Instruction ID: 3e4fa80ea26bae891aaaad84cc2155f79ac38068b70f533f992ed1ddd260ab71
                                                                                                                                          • Opcode Fuzzy Hash: 88b696097a447f60b666b2d467d21329cce70c64a13178664e2e42ef8d264e8c
                                                                                                                                          • Instruction Fuzzy Hash: 4C42C2366083419FDB25CF68C890A6BFBE5BF88B08F08492DFA8697250D771DC45CB52
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0036d9f0563d8c1d55a3c2dc72b24aba72277bcf6daa2371fd8eb36fe8673a63
                                                                                                                                          • Instruction ID: 46ac196461fdf0394d4fc31aa92f236a631f44adb19d36695132e478a6ddee86
                                                                                                                                          • Opcode Fuzzy Hash: 0036d9f0563d8c1d55a3c2dc72b24aba72277bcf6daa2371fd8eb36fe8673a63
                                                                                                                                          • Instruction Fuzzy Hash: C6424D75A102198FEB25CF69C881BEDBBF9BF48314F148099EA49EB241E7349985CF50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 1300404bec4194053d73c05293ea41119a1c622089166a2e7fadd47b5f96e871
                                                                                                                                          • Instruction ID: 59adfabffd15deae76338ae22c1d58f40433a5f01f88007e9ae9ed188bfe7a54
                                                                                                                                          • Opcode Fuzzy Hash: 1300404bec4194053d73c05293ea41119a1c622089166a2e7fadd47b5f96e871
                                                                                                                                          • Instruction Fuzzy Hash: D432E0B0A007598FEB25EF6DC8467BEBBF6BF84708F24411DD58A9B684D735A801CB50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4a92fe8580c10001c636349dcd48d175726f790c225cdc238298c602e0bc7975
                                                                                                                                          • Instruction ID: 64206bba1130775bc00cd674b1361c6b4568b9fdd710f88e7fa0e4fbae7b83f2
                                                                                                                                          • Opcode Fuzzy Hash: 4a92fe8580c10001c636349dcd48d175726f790c225cdc238298c602e0bc7975
                                                                                                                                          • Instruction Fuzzy Hash: 5122AD706046698BEB25CF2DC094772BBF1BF44B08F08845ED9968B686F735EC52DB60
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 66c45fcbd2b2c5dac7d053c0284bfe86bdf973d156791283dd31687faddc7eb2
                                                                                                                                          • Instruction ID: b1b2ff954b0bbe6fea00ecea2ae4e367ce066af7b3a51aaf7c8a49b575473139
                                                                                                                                          • Opcode Fuzzy Hash: 66c45fcbd2b2c5dac7d053c0284bfe86bdf973d156791283dd31687faddc7eb2
                                                                                                                                          • Instruction Fuzzy Hash: 4532BEB1A00219CFDB25EF6DC480BAABBF5FF48318F148569E956AB751D730E841CB90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                          • Instruction ID: a291521e48fba4f3b5e63c68bfa1ce373d11698404aa6a235965a692d4517be8
                                                                                                                                          • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                          • Instruction Fuzzy Hash: 73F15D71E0021A9BDF15DFA9C580BAEBBF5BF48718F088129E945AB345E774EC41CB60
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6772558f50aefc811fe038c00fdd7029a4da015e55da92224a57b0df779123d5
                                                                                                                                          • Instruction ID: 912b12f51b56115585afb41d7f08b37898779c9b8d4696f50ae1c11a0be6343f
                                                                                                                                          • Opcode Fuzzy Hash: 6772558f50aefc811fe038c00fdd7029a4da015e55da92224a57b0df779123d5
                                                                                                                                          • Instruction Fuzzy Hash: 81D1E471A0060A8BDF15CF6DC881BFEB7F9AF88308F1881A9DA55A7641E735E905CB50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e8b7f6247eeed378c574f66442665619cac79c1cea87afbb91177b0e404d232d
                                                                                                                                          • Instruction ID: 7c06aa10031b97139323445edaa163d2357af8390f050ccd629e9130963b5da4
                                                                                                                                          • Opcode Fuzzy Hash: e8b7f6247eeed378c574f66442665619cac79c1cea87afbb91177b0e404d232d
                                                                                                                                          • Instruction Fuzzy Hash: DDE19FB1608352CFC715EF2CC490A6ABBE4FF89318F05896DE99987351DB31E905CB92
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c63ae44638d1b8195c5923523d57f279bfd57059ada79d41d2fb7175985d454f
                                                                                                                                          • Instruction ID: 1751b903611719c8ee0d8495e8632909e8c17014faa1338943074eb28b875dc7
                                                                                                                                          • Opcode Fuzzy Hash: c63ae44638d1b8195c5923523d57f279bfd57059ada79d41d2fb7175985d454f
                                                                                                                                          • Instruction Fuzzy Hash: 33D1E771A0060ADBDB28DF68C880EBAB7B5FF5431CF04466DEA15DB288EB34D951CB54
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                          • Instruction ID: 0e46943d231d81d2882d8f2e0fd4f868101e09800e146489dbc323e83b286d90
                                                                                                                                          • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                          • Instruction Fuzzy Hash: 64B18374A006059FEB24DF99C940EBBBBB9FF8430DF9044ADAA4297790DA34E945CB10
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                          • Instruction ID: e9072186b61d9db558d3b3de2559861eb6edcef09d749670a588225d19c59dff
                                                                                                                                          • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                          • Instruction Fuzzy Hash: 4EB1267160474ADFEB16DB6CC840BBEBBFAEF84208F144199E552D7681DB30E941CB94
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 34fe3a6e33f74e6a41e2c8f6e2a0c4c83b71703b54c83e7d5a7f4355be4920bb
                                                                                                                                          • Instruction ID: 44edf7e4310c2152795cb174892999a5f43ef2ca159eedbae354bc630dab47a7
                                                                                                                                          • Opcode Fuzzy Hash: 34fe3a6e33f74e6a41e2c8f6e2a0c4c83b71703b54c83e7d5a7f4355be4920bb
                                                                                                                                          • Instruction Fuzzy Hash: 63C15570208381CFE764DF19C484BAAB7E4FF88708F54496DE98997291E774E909CB92
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b4a6261c9d4aba38ddc5dca942b67a1e2b7b46bb9fb6fb1a7e79e0a498815563
                                                                                                                                          • Instruction ID: 23cfc7a4a84cebb38c4765062da543f591667070f7556c66a393326be90f91ea
                                                                                                                                          • Opcode Fuzzy Hash: b4a6261c9d4aba38ddc5dca942b67a1e2b7b46bb9fb6fb1a7e79e0a498815563
                                                                                                                                          • Instruction Fuzzy Hash: 82B18170A4026A8BDB39CF59C890BADB7F5EF44708F0495E9D50AE7285EB34DD85CB20
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: facfd4f48bafa56bfb9df49a745340437b160176d236a2fbde9aa2d3afd38ee0
                                                                                                                                          • Instruction ID: f2c8b82a278ff33c7a7bb1d648fb2af77fc70c344ea3b7f6dba20fd813c3a300
                                                                                                                                          • Opcode Fuzzy Hash: facfd4f48bafa56bfb9df49a745340437b160176d236a2fbde9aa2d3afd38ee0
                                                                                                                                          • Instruction Fuzzy Hash: 68A1F631E007599FEB21EB5CC844BAEBBF8BB0172CF054165EA11AB291D77CAD40CB91
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4ce7e52bde1de57af3be5ff992609125fe3fdccefd09ab0e4fbbdd0060d6b3ae
                                                                                                                                          • Instruction ID: 7f7c56eec340d2403d545c4a194429009df847c8aee2e6e13f90eb13aeac5ffb
                                                                                                                                          • Opcode Fuzzy Hash: 4ce7e52bde1de57af3be5ff992609125fe3fdccefd09ab0e4fbbdd0060d6b3ae
                                                                                                                                          • Instruction Fuzzy Hash: 88A1E670B0161ADBDB29CF69C5917BAB7B9FF4431CF10802DEA05A7285EB34E811CB90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 500870455e32050a94689e2618103a604ce638b26a8d1a271bd093e79048a2a6
                                                                                                                                          • Instruction ID: 59759394fdb170978beaabf319d90082212ca0465ca153190c9f893f46e860d7
                                                                                                                                          • Opcode Fuzzy Hash: 500870455e32050a94689e2618103a604ce638b26a8d1a271bd093e79048a2a6
                                                                                                                                          • Instruction Fuzzy Hash: 13A1BC72A05212DFD711DF18C980B6BBBE9FF88718F05492CE6899B661D335E900CB91
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                                          • Instruction ID: 3cc211031c2bfa9edee0b5cb02c8fca2f5a2293eaaadaf3795030dcc3f1b058f
                                                                                                                                          • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                                          • Instruction Fuzzy Hash: CCB12871E0061ADFDF19CFA9C880AAEBBB5FF58314F148129EA18A7354D734E941CB90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: dd71768c49d0ac0ea835442bd7c416d811ba226404a5f7a5d375e262a6f44e1f
                                                                                                                                          • Instruction ID: 3a8bb377cd3d481ec0760798a4f6dc7c988df95ffc1e74cc56ee7ef762197b8e
                                                                                                                                          • Opcode Fuzzy Hash: dd71768c49d0ac0ea835442bd7c416d811ba226404a5f7a5d375e262a6f44e1f
                                                                                                                                          • Instruction Fuzzy Hash: 5A91E6B1D0021AAFDF15CFA8C891BAEBFB5EF48708F584059E610EB350D734E9018BA0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e4c681dab15a91b36ed696d8752e05b88f7c94f33c54160f8f3e3b5d599b271c
                                                                                                                                          • Instruction ID: a3e4a3046b9ea53f9244ceba7e02337aac209c552ddade6f420a94de73290fd3
                                                                                                                                          • Opcode Fuzzy Hash: e4c681dab15a91b36ed696d8752e05b88f7c94f33c54160f8f3e3b5d599b271c
                                                                                                                                          • Instruction Fuzzy Hash: B3913432A00616DBEB24EB6DC440BBABBA6EFC871CF054079ED05AB390E634D941CB55
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                          • Instruction ID: befa65c192876fcfb2c7ba3ca05094579ec2dc2649ff8e858e43142853e2e697
                                                                                                                                          • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                          • Instruction Fuzzy Hash: D2817131A0031A9FDF19CF9CC898AAEBBF6BF84314F188569D9169B384D774E911CB50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2f6b61008f4111f2161bde4e043d5fd15aee072a44d35b818295195914741c28
                                                                                                                                          • Instruction ID: 09fdbb779b2511d428eaccf83bf3e5bd1fc8d0f09f93a739b2e907f82a6a5f27
                                                                                                                                          • Opcode Fuzzy Hash: 2f6b61008f4111f2161bde4e043d5fd15aee072a44d35b818295195914741c28
                                                                                                                                          • Instruction Fuzzy Hash: 61816D71A00609AFDB65CFA9C880FEEFBB9FB48758F104429E555A7210D730AD05CB60
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b2c212cf2f881ed4dbf4bc7597d38c1663cc7c8db2f27ad3d9d698ebb45a2c91
                                                                                                                                          • Instruction ID: 18e52683638b22e331049fac9cb123fbfe874fc171a06fa9b7efeaabfbe1bd38
                                                                                                                                          • Opcode Fuzzy Hash: b2c212cf2f881ed4dbf4bc7597d38c1663cc7c8db2f27ad3d9d698ebb45a2c91
                                                                                                                                          • Instruction Fuzzy Hash: AC71CDB5D01629DFCB26DF58C8907BEBBB5FF98718F14415AE942AB350D370A804CBA4
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: b27aacf8f5716f02dbb0b841649f2fe2df8907770f92f60c57649e1a730ea9bd
                                                                                                                                          • Instruction ID: 6a3777776d211cd91efa8d1bc7712586ca805d002d29fff124621d32b80a2467
                                                                                                                                          • Opcode Fuzzy Hash: b27aacf8f5716f02dbb0b841649f2fe2df8907770f92f60c57649e1a730ea9bd
                                                                                                                                          • Instruction Fuzzy Hash: EB71C472901205EFEB20CF59E944E9ABBF8FF91308F02815EE614A7668D7B1C941CF54
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8ae7c13e001ef1d9fc54f44d2e9d250d9b888c2dbbcf54dc9b37ad5620a4b821
                                                                                                                                          • Instruction ID: bb0c6d9385dbc026df8f9a9851cb21fac8c44f6301d7eabe5d667ccf097b1701
                                                                                                                                          • Opcode Fuzzy Hash: 8ae7c13e001ef1d9fc54f44d2e9d250d9b888c2dbbcf54dc9b37ad5620a4b821
                                                                                                                                          • Instruction Fuzzy Hash: B571CD716046428FD312DF2CC484B2BB7E9FFC8318F0585AAE8998B352DB74D846CB95
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                          • Instruction ID: 7e7fb474f38800ee0cc028ea1793e6ae3429c899f35fada42036aa56b404386c
                                                                                                                                          • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                          • Instruction Fuzzy Hash: 3A716D71E0060AEFDB14DFA9C984ADEBBB9FF98308F504569E545E7250DB34EA01CB90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8019fe79adf8fabc65df5680ff114b8695f6762d372ccc9cf591f7de595b9ccc
                                                                                                                                          • Instruction ID: 658ad596ad903ca6f0c1c5968ad82ae246c80f3ea43ff3974c0cab830b6d5013
                                                                                                                                          • Opcode Fuzzy Hash: 8019fe79adf8fabc65df5680ff114b8695f6762d372ccc9cf591f7de595b9ccc
                                                                                                                                          • Instruction Fuzzy Hash: 0D71F9B1100B01AFE731DF18C886F967BE6FF40718F158418E75597AA2E779E944CB50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2018118a6d02c20809c67f9433769a9fbbf9c5598870ff8022b602e4462169d0
                                                                                                                                          • Instruction ID: 97da4b44e22e46c0a9f6a5806204c882b97fecc732c235766a51270e3917403e
                                                                                                                                          • Opcode Fuzzy Hash: 2018118a6d02c20809c67f9433769a9fbbf9c5598870ff8022b602e4462169d0
                                                                                                                                          • Instruction Fuzzy Hash: F681AD72A0431A8FDB24EF9CD594BAEB7F5BB88318F19416DD900AB791C7749D40CB90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7a5e6c30146c2246c37439f0a2abdbd7a548cf8d32d6e9e99ac2f6ccc1cefc41
                                                                                                                                          • Instruction ID: 570202e0d72643991f6788ffe083d5c86a6659dd1fe79e60365a7f42d39ef4fa
                                                                                                                                          • Opcode Fuzzy Hash: 7a5e6c30146c2246c37439f0a2abdbd7a548cf8d32d6e9e99ac2f6ccc1cefc41
                                                                                                                                          • Instruction Fuzzy Hash: 8E711B75E00209AFDF19DF98C845FEEBBB9FF04358F104169E625A7290D774AA05CB90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3eb8287d92632e970a1b06df7019da4e7a6879da77dc3cefb018e42de19bbc93
                                                                                                                                          • Instruction ID: 7792921076b86c5a7a45185a485983b63f60e43e74df5d7c68f481c956ae1ea5
                                                                                                                                          • Opcode Fuzzy Hash: 3eb8287d92632e970a1b06df7019da4e7a6879da77dc3cefb018e42de19bbc93
                                                                                                                                          • Instruction Fuzzy Hash: 4051DF73504612AFD712DE68D944E5BB7FCEBC5758F004929BA40EB210D774EE04C7A2
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 33c836724ce7f779ee33030eb434b5987289cc0debad03e94a6f7af5ddbb85ab
                                                                                                                                          • Instruction ID: 5587ef90be14b16795a1b10901e4fcaf9b166c42dcd47b45f860e481a4f2e750
                                                                                                                                          • Opcode Fuzzy Hash: 33c836724ce7f779ee33030eb434b5987289cc0debad03e94a6f7af5ddbb85ab
                                                                                                                                          • Instruction Fuzzy Hash: C551E470900705DFD731CF5AC884AABFBF8BF54B18F10465ED296676A0C7B0AA45CB90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: 1ec1e1f95690687918b41d5d641c945090d022bb7038014fa850221e717fd0ca
                                                                                                                                          • Instruction ID: 6ede3a65699a6867c55ebe13736683a165b3640b90670a85cd185a2f723b3158
                                                                                                                                          • Opcode Fuzzy Hash: 1ec1e1f95690687918b41d5d641c945090d022bb7038014fa850221e717fd0ca
                                                                                                                                          • Instruction Fuzzy Hash: 56515CB1200A05DFCB22EF69C980FAAB7FDFF54748F414869E95197660D734EA40CB50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 65c766da8e7fcf47a6c4cf84740bb6b344000a67926aa17820537b56f2ecff1f
                                                                                                                                          • Instruction ID: 7d80bec713fbf4aa52a01164d3bc0b05deb845b123efb68047a632c84909ebf4
                                                                                                                                          • Opcode Fuzzy Hash: 65c766da8e7fcf47a6c4cf84740bb6b344000a67926aa17820537b56f2ecff1f
                                                                                                                                          • Instruction Fuzzy Hash: CB5164B16083068FD750DF29C891A6BBBE9BFC8A08F44492DF589C7250EB30DD15CB96
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                          • Instruction ID: 158f07dc0ad39069742c7caa442bad77e3b2ec3ecd42b2802f13cb30167eecac
                                                                                                                                          • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                          • Instruction Fuzzy Hash: E9518E71E0021AABDF15DF98C440BEEBFF9AF45758F044069EA11AB240D734ED45CBA4
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                          • Instruction ID: 2391fa8d6b55482d5e8f065ee4514ca020f6d5526f50301f0733e5c6e6c8be96
                                                                                                                                          • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                          • Instruction Fuzzy Hash: 2E51A531D0421AEFEF219B98C898FAEBB79EF0036CF554675D92267190D7709E408BA0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 270d5fe150201e7d610ea911a35dbb1dd3ab0ff7fee4c4e51b97cd4d478a3ba8
                                                                                                                                          • Instruction ID: 1e9c7ada1e7a3fce187269758469d8917787bd0be4bd53213e519f313fd862ed
                                                                                                                                          • Opcode Fuzzy Hash: 270d5fe150201e7d610ea911a35dbb1dd3ab0ff7fee4c4e51b97cd4d478a3ba8
                                                                                                                                          • Instruction Fuzzy Hash: 6D41E670B417229BDE25DB2DC99CB7BFBDAEF91228F048599E915872D0D730D811C690
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d613c4165a790eacc570809880c848a992594882c498c046258ed08776a16dc0
                                                                                                                                          • Instruction ID: 03b0459ea2598018b4aa731226560692a73c22668053d998cce4f7d074354c4d
                                                                                                                                          • Opcode Fuzzy Hash: d613c4165a790eacc570809880c848a992594882c498c046258ed08776a16dc0
                                                                                                                                          • Instruction Fuzzy Hash: 4D517B7290021ADFCB20DFADC9809AEBBF9FB48258B915519D945A7704D774EE02CBD0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                          • Instruction ID: 9045d014fdb3435e7dd8371c251d4b3a2a177578118d149a689fde6c0aa3dc78
                                                                                                                                          • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                          • Instruction Fuzzy Hash: 8041ED716047269FDB25CF58C988A6BF7E9FF90218B05462DE95287680EB30FD14C7D4
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 02a4c39534959a3df9c30a3f9c2c7e4ef5afdc2e9d3e71c73b830c63bc5b6d52
                                                                                                                                          • Instruction ID: 5b5875118b71dd17ce1d485d2740c8abfeffa6320c65ba29fb3ac83a8bf2f616
                                                                                                                                          • Opcode Fuzzy Hash: 02a4c39534959a3df9c30a3f9c2c7e4ef5afdc2e9d3e71c73b830c63bc5b6d52
                                                                                                                                          • Instruction Fuzzy Hash: A9418936A00219DBDB58DF98C440EEEBBB8AF48B18F14816AFD15A7740D7369D41CBA4
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ce773961ab46fb235e07f31a7818d474fc55a6a5d966433cc94a784e40fd2d6f
                                                                                                                                          • Instruction ID: f82cdac13f499631056c5446b623578e8bfc26f1a2546dd55887023e84f9f542
                                                                                                                                          • Opcode Fuzzy Hash: ce773961ab46fb235e07f31a7818d474fc55a6a5d966433cc94a784e40fd2d6f
                                                                                                                                          • Instruction Fuzzy Hash: 1641B2716043069FDB21EF2CC880A17B7E9FF8821CF014839EA56C7655DB35F8448B55
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                          • Instruction ID: 5f6df0c676a45977070a83682a9cb6d8209f22f3ac65ce15e699cf94d45ddd2d
                                                                                                                                          • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                          • Instruction Fuzzy Hash: C9517B75A00219CFDB15CF9DC480AAEF7B6FF84718F2482A9D915AB351D730AE42CB90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 42902768dfa2b90916882f5ed2d53acdb207f3e90b2497dcbada43ea7df647f9
                                                                                                                                          • Instruction ID: d5aecb5a982e2ac34582519fc2405f14b00aa8c8d251b8a3067cf7bddc15a7ba
                                                                                                                                          • Opcode Fuzzy Hash: 42902768dfa2b90916882f5ed2d53acdb207f3e90b2497dcbada43ea7df647f9
                                                                                                                                          • Instruction Fuzzy Hash: C751FBB0901316DBDB29EB2CCC01BA9B7B5FF1131CF1482A5E919976D5D774A981CF80
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b513054093161a25422e837fab6a5b3e82634609f605cfef6239c59d96b8448c
                                                                                                                                          • Instruction ID: 080c2b6ca85986b0a52a85066e48fe70c04ceba43cc0c7dd2cf001f2a713235d
                                                                                                                                          • Opcode Fuzzy Hash: b513054093161a25422e837fab6a5b3e82634609f605cfef6239c59d96b8448c
                                                                                                                                          • Instruction Fuzzy Hash: D5418E71A402289FDF35EF6CC984BEA77B8AF45744F0140A5E908AB241D7789E84CB95
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                          • Instruction ID: b41ba9781edf1c89a88b6ad94efaa5f0e70ccab152645270f831680906c4e12f
                                                                                                                                          • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                          • Instruction Fuzzy Hash: 61417575F10315ABDB15DF9DCC88AAFBBFAAF84658F1440E9E904A7381D670DD018B50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f07aca286f4b4d314aa93fcf37b28bd2665483dd259ab7e849d0ac8b9180b481
                                                                                                                                          • Instruction ID: 8be5790e33efc5527b0c7e9bf222e78893b11268c4b5e929eaf4da909fe7b216
                                                                                                                                          • Opcode Fuzzy Hash: f07aca286f4b4d314aa93fcf37b28bd2665483dd259ab7e849d0ac8b9180b481
                                                                                                                                          • Instruction Fuzzy Hash: B941C4717007169FE729DF29C480A26BBF9FF45318B104A6DE55787A60E770F849CB90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f83ec220b8c81d8a12a0a8c70930aa8b83de10fca540bdd2d2d2aca26fa0b524
                                                                                                                                          • Instruction ID: f92cb8aeeb28c933de38e792cecb55413030ca8717fa34d51875eb5344041c59
                                                                                                                                          • Opcode Fuzzy Hash: f83ec220b8c81d8a12a0a8c70930aa8b83de10fca540bdd2d2d2aca26fa0b524
                                                                                                                                          • Instruction Fuzzy Hash: F341C131980209CFDB21DF6CC5547AE7BF4FB54318F1901A9D412BB395DB34A900CBA4
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 03be0054c8295477965e3d63f7d0ff3d30922241d0f64a2e4f2cf860786e7cc4
                                                                                                                                          • Instruction ID: 2e240aa0eeee7f3fbb0f4baa20aae20f1407742728cee4d9a14a571997751976
                                                                                                                                          • Opcode Fuzzy Hash: 03be0054c8295477965e3d63f7d0ff3d30922241d0f64a2e4f2cf860786e7cc4
                                                                                                                                          • Instruction Fuzzy Hash: 32412571A00226CBDB24EF4CC990A9ABBF5FB94718F18806AD9019B765C775D802CB90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 86c228214e6d0e47ff1380f7ead98c5cd38153e68758a08f586405a9b1e41f2e
                                                                                                                                          • Instruction ID: a7f8539a47e19de7c15e0b88abde7f70cc86158449ef142347be1342d772499e
                                                                                                                                          • Opcode Fuzzy Hash: 86c228214e6d0e47ff1380f7ead98c5cd38153e68758a08f586405a9b1e41f2e
                                                                                                                                          • Instruction Fuzzy Hash: CE416D315087469FD322DF69C840A6BF7E9EF88B58F40092AF984D7254E734DE048BA7
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                          • Instruction ID: 12d5c038b57682eb83546f303541019f2cc479f50d0f57c54920c72c7c382c3d
                                                                                                                                          • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                          • Instruction Fuzzy Hash: 1441BB31A01255DFDB39DE2C84407BAFB75EB90B5EF15806AE9458B24CD63B8D84CB90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 88044690623444b6560768682cc3bcdfcc7a3bfc6b51c3e507f69a033fef2d84
                                                                                                                                          • Instruction ID: 2d35424fea974de0ad44da8b3aee44b61c1d4f204da3e72ea4b549f12c991695
                                                                                                                                          • Opcode Fuzzy Hash: 88044690623444b6560768682cc3bcdfcc7a3bfc6b51c3e507f69a033fef2d84
                                                                                                                                          • Instruction Fuzzy Hash: 63418A71600711EFE725EF18C840B26BBF8FF58318F608A6AE449CB651E770E946CB90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                          • Instruction ID: 0c39356cce102e98e91259411160c25885b3df24d73db641b192111151e0e2ab
                                                                                                                                          • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                          • Instruction Fuzzy Hash: FA41F871A00605EFDB68CF98C990EAABBF8FF18B08B10496DE956D7651D331EA44CF50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: de2d16c869b0fbe7561747da3051523a2ef706222bdbdfdc0c9263e32ed3b9d5
                                                                                                                                          • Instruction ID: 10c03d0716d51cee9d87cb25380ae426b59aa1a9311c05763c70def436406749
                                                                                                                                          • Opcode Fuzzy Hash: de2d16c869b0fbe7561747da3051523a2ef706222bdbdfdc0c9263e32ed3b9d5
                                                                                                                                          • Instruction Fuzzy Hash: C641BEB1505715CFCB31EF2CC900B6AB7B5FF44328F1186AAC81A9B6A2DB709941CB41
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 59704768cdf73bdd8857686949365dec05f6a2ce9f76cdffb7daf82ad42ebccc
                                                                                                                                          • Instruction ID: a0f2de9b5e9246fd0ac41d3af8784a1c6a4647151089106c295e0459a3ff3d3a
                                                                                                                                          • Opcode Fuzzy Hash: 59704768cdf73bdd8857686949365dec05f6a2ce9f76cdffb7daf82ad42ebccc
                                                                                                                                          • Instruction Fuzzy Hash: 483159B1A01349DFDB52CF68C440B99BBF4FF49B18F2185AED519EB251D3369902CB90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: bddcafd8717e54fa206f180408f08744349fe6aa9d8e155abc7db53c114a0b1b
                                                                                                                                          • Instruction ID: 15a505faa59a20550d8dd3a9a2854cfd667a641e2eb1d04f30b058fbf6606c8d
                                                                                                                                          • Opcode Fuzzy Hash: bddcafd8717e54fa206f180408f08744349fe6aa9d8e155abc7db53c114a0b1b
                                                                                                                                          • Instruction Fuzzy Hash: 07418D729043059BD760DF29C845B9BBBE8FF88718F404A2EF99887251D770D904CB92
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f33f6db4949699c01f938e1fc13c0853393d98df37bf3eaee6c81a95314269db
                                                                                                                                          • Instruction ID: bb5fc5d0db20325e5d119cc2dc56592e568720635d3f270dcfc3f44cd5666a6f
                                                                                                                                          • Opcode Fuzzy Hash: f33f6db4949699c01f938e1fc13c0853393d98df37bf3eaee6c81a95314269db
                                                                                                                                          • Instruction Fuzzy Hash: 68410372E0451AEFCB19DF1CCC80AA8B7B5BF44768F208679D815A7684D734EC418B94
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c3fbbf0da9a9ab35b374518afcd274fa98cec478b2811654934b611f5a4d0b2d
                                                                                                                                          • Instruction ID: 59b840115305d99aea7e924cd9306d10a590b1ddad9ddea59381250803227110
                                                                                                                                          • Opcode Fuzzy Hash: c3fbbf0da9a9ab35b374518afcd274fa98cec478b2811654934b611f5a4d0b2d
                                                                                                                                          • Instruction Fuzzy Hash: 3A41F2726086429FC324DF2CC880A6AB7E9FFC8708F14462DF995D7690E730E914C7A6
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d5b4031cc4ce559b67ca440a5f2d392161fa87a7a0bc91c1919d1811d4d36364
                                                                                                                                          • Instruction ID: 384bd13ac8513537418ab01d973fd21d387237b82de679d7f091c406dc5aa4d3
                                                                                                                                          • Opcode Fuzzy Hash: d5b4031cc4ce559b67ca440a5f2d392161fa87a7a0bc91c1919d1811d4d36364
                                                                                                                                          • Instruction Fuzzy Hash: 6741F3303003228FD725EF2CD894B2ABBE9FF80758F14442DE6458B2A1DB70D941CB91
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: faa617676096bb1b3e0c4c4bfaac0d925c2d00729b459f8ea4127833edccfd2c
                                                                                                                                          • Instruction ID: 902f11e266a43207cf31287880aa0a3e01ad72bd9edfe0995810c54c883f96b0
                                                                                                                                          • Opcode Fuzzy Hash: faa617676096bb1b3e0c4c4bfaac0d925c2d00729b459f8ea4127833edccfd2c
                                                                                                                                          • Instruction Fuzzy Hash: 29419FB1A01619DFCF18DF6DC98099DFBF1FF88328B2086AED466A7254D7349901CB44
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                          • Instruction ID: b8a900360f87a8624ab6386008732d088c18fddc6f0bf6c192cf2aed807407a8
                                                                                                                                          • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                          • Instruction Fuzzy Hash: 2D312531A04249AFDB129B6CCC80B9BBFECAF54768F0481A5F855D7352C2B4D884CBA4
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d9477c8970b20983090a5ad90a4b5253e0eca0daf260e7084a7af478b67bef40
                                                                                                                                          • Instruction ID: 86c786bb101dfbd022a74fd93d2fc93f968b089a6e6d2773cc69e515df16b55a
                                                                                                                                          • Opcode Fuzzy Hash: d9477c8970b20983090a5ad90a4b5253e0eca0daf260e7084a7af478b67bef40
                                                                                                                                          • Instruction Fuzzy Hash: 7A319975750716ABD7229F598C41FABBEB9AB59F58F100038FA04BB391DAA4DC00C7A4
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: cc8fa95768454ec7f931584a28f1caeec04076292f58f915b46fa9a33681ade8
                                                                                                                                          • Instruction ID: 39838d59cb863195f772bde34f7cf85459e1cd1c9d4db9248689ebba65017d86
                                                                                                                                          • Opcode Fuzzy Hash: cc8fa95768454ec7f931584a28f1caeec04076292f58f915b46fa9a33681ade8
                                                                                                                                          • Instruction Fuzzy Hash: 8431E4336052019FC721DF1DE880E26B7E9FB81368F0A446DE9998BA61D771E801CF95
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 60873f5e16aaa1fc9a34581b32cd47fcec8c406ebfd6d9214557bf39623c03d7
                                                                                                                                          • Instruction ID: b395865f667e35fcb9985b7d1a24ec895e93886c141ac7534bdac7336d18f1ae
                                                                                                                                          • Opcode Fuzzy Hash: 60873f5e16aaa1fc9a34581b32cd47fcec8c406ebfd6d9214557bf39623c03d7
                                                                                                                                          • Instruction Fuzzy Hash: F8419F31200B45DFD726EF28C491FD6BBE9BF55318F05882DEA998B650C7B4E814CB94
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e66b8896435f5ed50a98c9280526684262f612917f2172f7dd45af5640b0270d
                                                                                                                                          • Instruction ID: dd22aa43a38009f45d7fc12db80c77e47768b093f52efc6ee58f1db95239367b
                                                                                                                                          • Opcode Fuzzy Hash: e66b8896435f5ed50a98c9280526684262f612917f2172f7dd45af5640b0270d
                                                                                                                                          • Instruction Fuzzy Hash: F131AF72604301AFDB20DF28E880A2AB7E5FB84718F05456DF9559BA90E730EC05CB95
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7bcb067dd6b887ef89335cd22947243b742145d8bf08c431b54a3a4c989c597c
                                                                                                                                          • Instruction ID: f670b3fd5aeac2f45e73f181e349ae2ed5c279afdd6505a5e9c1d4f4edf844bf
                                                                                                                                          • Opcode Fuzzy Hash: 7bcb067dd6b887ef89335cd22947243b742145d8bf08c431b54a3a4c989c597c
                                                                                                                                          • Instruction Fuzzy Hash: 5831C1322096C6DBFB26D79CC948B257BD8FB40B4CF1D04B0AB859B6D2DB28D840C624
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 393418bdb868784e9303e372f827559c58f35c18b38befdce4d8595fc40d92ac
                                                                                                                                          • Instruction ID: 733a108067e5865262c6db972dd120cfd1fc69f37f44c349e2e1c8a64be61169
                                                                                                                                          • Opcode Fuzzy Hash: 393418bdb868784e9303e372f827559c58f35c18b38befdce4d8595fc40d92ac
                                                                                                                                          • Instruction Fuzzy Hash: 8431C6B5A0022AEBDB15DF98CC45BAEB7F9FB44744F458168E900AB284D770ED00CB94
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c7baff6f005aeea10e16b0317991c013d9dc36ee0d3447dc2dfc29f530bfd2bc
                                                                                                                                          • Instruction ID: 58e4cbb4f1e6e4d4b9681f27537902e86965a05309d38838189f44f687ded425
                                                                                                                                          • Opcode Fuzzy Hash: c7baff6f005aeea10e16b0317991c013d9dc36ee0d3447dc2dfc29f530bfd2bc
                                                                                                                                          • Instruction Fuzzy Hash: 40318336A4012DABCF21DF58DC84BDEBBF9AB98714F1000E5E508A7250CA30DE91CF90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: de285d06256c8deb09bfdd46efd86b550a42566bafdc20c3f6ae0ec4604efb11
                                                                                                                                          • Instruction ID: 54396e1668b8fb1f9a3b037a0cee904f3037fa5b91511eeaa86d470ac8f41938
                                                                                                                                          • Opcode Fuzzy Hash: de285d06256c8deb09bfdd46efd86b550a42566bafdc20c3f6ae0ec4604efb11
                                                                                                                                          • Instruction Fuzzy Hash: 0531B572E04219AFDB21DFADCC40AAEBBF8FF44754F118435E515D7250D274AE008BA0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: cbdc24a27d753d2d19a6d3fd2117ba065357563d985c9108b399ec17fb3beac9
                                                                                                                                          • Instruction ID: 49da35f1aba59a96a773e8b0c5156e19e1916cda49533b10a6713a038942935f
                                                                                                                                          • Opcode Fuzzy Hash: cbdc24a27d753d2d19a6d3fd2117ba065357563d985c9108b399ec17fb3beac9
                                                                                                                                          • Instruction Fuzzy Hash: 6031C4B1740726EBDB139F9DC851A6AB7F9AF94358F14406DE505DB392DA30DD008790
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: bd425c0856aab92d4d34519bf1e17ee8598caae11c155b20caf3dc39be64ceb9
                                                                                                                                          • Instruction ID: ac80084bcf05eff9531e19c14f6b6691a2d95fa1bcdacabce5e78672ac23a562
                                                                                                                                          • Opcode Fuzzy Hash: bd425c0856aab92d4d34519bf1e17ee8598caae11c155b20caf3dc39be64ceb9
                                                                                                                                          • Instruction Fuzzy Hash: 70312772A04326DBC72AEE688880E6BBFA5AFD4258F024529FC5597310DA70DC0987E1
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9f1a2da5bf0ffd0d07474dfdea0649e51119651bc8c4801046ae301acb82b47f
                                                                                                                                          • Instruction ID: a18b6d5358f4e79c417f3725d7ea73214cab26faa6419cc052a71de3afa920aa
                                                                                                                                          • Opcode Fuzzy Hash: 9f1a2da5bf0ffd0d07474dfdea0649e51119651bc8c4801046ae301acb82b47f
                                                                                                                                          • Instruction Fuzzy Hash: 3B319AB2609311CFE721EF19C840B6BBBE5FB88708F1449AEE98497751D770E844CB91
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                          • Instruction ID: d5dc9a8a0777e4ad412108bc587c23b106423948e40da74a67349de36906226f
                                                                                                                                          • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                          • Instruction Fuzzy Hash: 36312BB2B04B01AFD761CFADDD41F57BBF8BB08A54F04492DA99AC3651E630E900DB60
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a822bf1f81aaa40b23e475e60ea3e0b8bff95f8afd7b311e4729c5f419cd67a0
                                                                                                                                          • Instruction ID: be34c1b7fa0fb3ef8b8989c6304d579d99565723162e0d6fee14fbc70984153e
                                                                                                                                          • Opcode Fuzzy Hash: a822bf1f81aaa40b23e475e60ea3e0b8bff95f8afd7b311e4729c5f419cd67a0
                                                                                                                                          • Instruction Fuzzy Hash: F631AAB1509342CFCB21DF19C54085ABFF1FF89A18F4589AEE4889B261D331EE45CB92
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c98949ce2b2c568c35e4260ff1cf2130006ce6ff3a0a49c4b9f15a12f161d2ae
                                                                                                                                          • Instruction ID: 2a659c81b7d34ea1e8f3d3f6a8e6154179c8cc01874162b6084db8f9cc32369f
                                                                                                                                          • Opcode Fuzzy Hash: c98949ce2b2c568c35e4260ff1cf2130006ce6ff3a0a49c4b9f15a12f161d2ae
                                                                                                                                          • Instruction Fuzzy Hash: BD31D132B002069FD720EFA9C981B6EBBF9AB8470CF008539D545E7664E730E945CB90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                          • Instruction ID: 8f1bbc0e4d96ced1fdee343ecb2d67573b81369c95335b105300d9d76f30953b
                                                                                                                                          • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                          • Instruction Fuzzy Hash: 1C210436E4125AAAEB10DFB98841BAFBBB9AF54744F098035AE15E7340E274DD0187A0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 445e6468a7e1f6f6847882e105138117dfb6af930289df6abb3524ed903a0856
                                                                                                                                          • Instruction ID: e5c509b4a8b0beac03e4583c8711074a6c36ba55e0c711ff0affd763658e72b2
                                                                                                                                          • Opcode Fuzzy Hash: 445e6468a7e1f6f6847882e105138117dfb6af930289df6abb3524ed903a0856
                                                                                                                                          • Instruction Fuzzy Hash: 84313E715002518BD731AF5CCC41B69B7B4AF9031CF548169DD499B386DA78D981CB90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                          • Instruction ID: ddd8e7259a24f22365b3ae847398338c7531f5e15fffee07865f961c723ffe45
                                                                                                                                          • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                          • Instruction Fuzzy Hash: 39214F37610652B7CB17AB9D9C00EBBBBB5EF40718F40D01EFA9597691E638D950C360
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 80e57f00eb58bf6669baa916f29203cd37bc304370cb0a9077b9e17d3cff233d
                                                                                                                                          • Instruction ID: f8acf842f698689c2d61c386e9d2a22a534c552ddc45d0b0ebdb52e4ac9d2d8e
                                                                                                                                          • Opcode Fuzzy Hash: 80e57f00eb58bf6669baa916f29203cd37bc304370cb0a9077b9e17d3cff233d
                                                                                                                                          • Instruction Fuzzy Hash: 8431D431A4012C9BDB3ADB18CC41FEEB7B9EB15758F0100B1EA45A7294DA759E808FA0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                          • Instruction ID: 3c617be5ef783caf9e5cdd654ef5a103649314b96caa1f1c906070acbbd67b1e
                                                                                                                                          • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                          • Instruction Fuzzy Hash: 98217435A00609EFCB55CF58C580F8EBBF5FF48728F508469EE159F241E671DA458B60
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 310dbfe6948b43c638b099b74f200126641383b1fd442675ffed243502bf38d8
                                                                                                                                          • Instruction ID: e8ac602986e1b9cedbd65c43a280057888476ad0fc342ad3701997df443fae7f
                                                                                                                                          • Opcode Fuzzy Hash: 310dbfe6948b43c638b099b74f200126641383b1fd442675ffed243502bf38d8
                                                                                                                                          • Instruction Fuzzy Hash: 5521C372604745DBCB26CF18C980F6B77E8FB88B68F004919FD559B641E730E9418BA2
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                          • Instruction ID: fa921ddbe4b46615f557035c83d7f2c3b9be6cb24c52aa11241ea8b55ba616e5
                                                                                                                                          • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                          • Instruction Fuzzy Hash: 65319E31600604EFD725CF68C884F6AB7F9EF85358F1445A9E912DB684E734ED01CB50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 368318796a1fefd277a26f1cdc1db2dfa4f42c1a75efc7041603903b2d8efa6b
                                                                                                                                          • Instruction ID: 66c2e6646181779271f02542a71b8c7b89708573002c71c84e821a5bac6b603f
                                                                                                                                          • Opcode Fuzzy Hash: 368318796a1fefd277a26f1cdc1db2dfa4f42c1a75efc7041603903b2d8efa6b
                                                                                                                                          • Instruction Fuzzy Hash: AA317F75610209EFCF14CF1CC8849AEB7B9FF84328B168569E9099B391E771EA50CBD0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 1e577b3cc2683209f469a5a6745c669695c0c44fd954e76601d89f36b3e5ad5e
                                                                                                                                          • Instruction ID: 0ceedea77e3890b4cd028a8425bc036030dd97c57fba42a5f0fa8603362b21d2
                                                                                                                                          • Opcode Fuzzy Hash: 1e577b3cc2683209f469a5a6745c669695c0c44fd954e76601d89f36b3e5ad5e
                                                                                                                                          • Instruction Fuzzy Hash: 9821B171900229DBCF15DF59C881ABEBBF8FF48744B404069F941AB254D738AD41CBA1
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 5dfbfc7dc1caf96bef9f103477741e1ddea05005dc98610a743e8278a5ec316f
                                                                                                                                          • Instruction ID: 7461680d23db373a895d60898cead9af0a7e23157821972584edd5e517000eb4
                                                                                                                                          • Opcode Fuzzy Hash: 5dfbfc7dc1caf96bef9f103477741e1ddea05005dc98610a743e8278a5ec316f
                                                                                                                                          • Instruction Fuzzy Hash: 7C21AC71600645AFD715DBACD844F6AB7B8FF88748F144069F904DB6A0D638ED40CBA8
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4d927220ecf3cf4dec2a58d7c19c96f6a21778446ff4aa6aad76c614562e1ce6
                                                                                                                                          • Instruction ID: c4583b5f8aa4ce2b486ce14ab9da6dcf7e1af84029e1ee6b27af9ca8d108a405
                                                                                                                                          • Opcode Fuzzy Hash: 4d927220ecf3cf4dec2a58d7c19c96f6a21778446ff4aa6aad76c614562e1ce6
                                                                                                                                          • Instruction Fuzzy Hash: 1021F2729043469FD716EF9DD848B6BBBDCEF90248F084466BD80C7291D734E904C7A2
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 12ad154c7233578d027e5a70f917d281ab3fb4591968474217d6bb90b1f3a095
                                                                                                                                          • Instruction ID: dbafe310dd0f4adaa9ea9399d985a2d6739f7fbf8a68e2f1d9fabd97a1fede05
                                                                                                                                          • Opcode Fuzzy Hash: 12ad154c7233578d027e5a70f917d281ab3fb4591968474217d6bb90b1f3a095
                                                                                                                                          • Instruction Fuzzy Hash: 8121F9316097959BF3226B6C9C58B297FD4AF8177CF280361FA20EB6E2D76CD841C244
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e2022a40e5a7bde1891efc57eac34e24b97fe182f7881958b7d0568d848d94cc
                                                                                                                                          • Instruction ID: c5d321f16f6bde09cb5e7d034868bbdb245923a3e3e378b1fde4f3ddbfdaaf08
                                                                                                                                          • Opcode Fuzzy Hash: e2022a40e5a7bde1891efc57eac34e24b97fe182f7881958b7d0568d848d94cc
                                                                                                                                          • Instruction Fuzzy Hash: D7217975201A01DFCB25DF29C901B56B7F5BF48B08F248568A909CBB62E775E842CF98
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ed31137f0076f862af89ecc53ca4a67832aba6fba19fc78a9e2e4e7e1851acc0
                                                                                                                                          • Instruction ID: 012ff033da06d7b3b2fa66f03a27b0627d6a3119d892965225d4e9d08b4db490
                                                                                                                                          • Opcode Fuzzy Hash: ed31137f0076f862af89ecc53ca4a67832aba6fba19fc78a9e2e4e7e1851acc0
                                                                                                                                          • Instruction Fuzzy Hash: 4511E373280A11BBE7225659BD05F27BA9A9BD4B64F910028F748DB280EB70DC018795
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0a53611aeba5784f66140b9fcfbc5b934c3a62d41f2d3184432c5e7a0833f1b9
                                                                                                                                          • Instruction ID: ddb10f767e8f559792774030252a0c950110e7cf50a0294a456889b6cf23d3dd
                                                                                                                                          • Opcode Fuzzy Hash: 0a53611aeba5784f66140b9fcfbc5b934c3a62d41f2d3184432c5e7a0833f1b9
                                                                                                                                          • Instruction Fuzzy Hash: 3C21F5B1E00219ABCB24DFAAD9809AEFBF8FF98714F10012FE409A7354D7749941CB64
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                          • Instruction ID: e7bba6319763d0094b75e4997e55eaebccd799c01a3e33e4219636a3a7148113
                                                                                                                                          • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                          • Instruction Fuzzy Hash: 3E216D72A00209AFDF129F98CC80BEEBBB9EF88314F244455FA04A7251E734D9508B50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                          • Instruction ID: b0efe3edd20b68280f3f926f4419ffa7abd0cf014bea19123b531b5531d2bd26
                                                                                                                                          • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                          • Instruction Fuzzy Hash: B311E276600605AFD7269B48CC41F9ABBB8EB80B58F104029FA049B180D672EE44CB61
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 1d4e617d09e2ea27744fe3ad5ef89d93799c2d330cab0483be721de0a9789676
                                                                                                                                          • Instruction ID: 5001a780dfa3c59aafedd864c148df7dd09f99589122e2cd5ca346726e830c4f
                                                                                                                                          • Opcode Fuzzy Hash: 1d4e617d09e2ea27744fe3ad5ef89d93799c2d330cab0483be721de0a9789676
                                                                                                                                          • Instruction Fuzzy Hash: 2311C1317016359BDB11DF4DC4C0A66BBE9AF5A718B1980ADEE089F205D6B2E901C7D0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 17225ab21df82ca6f4830540ceb0967897501d717e4ab7d9709199eaf57c5e99
                                                                                                                                          • Instruction ID: 84527fb4c75544d78cb7d899d2f756ec12db9bc9923bfbb9546ac00e95d4a7fb
                                                                                                                                          • Opcode Fuzzy Hash: 17225ab21df82ca6f4830540ceb0967897501d717e4ab7d9709199eaf57c5e99
                                                                                                                                          • Instruction Fuzzy Hash: 27215B75A0021ADFCB14DF98C581AAEBBF5FB88318F3441ADD505AB391CB71AD16CB90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: dca92997390bf927c457590e5f4842a1323532e8d0f9d3b9cb453af167cc9054
                                                                                                                                          • Instruction ID: ae64c4d12f60ed1931c8c04602b2daa52f9fab532e66a7e99362472c59fb73e0
                                                                                                                                          • Opcode Fuzzy Hash: dca92997390bf927c457590e5f4842a1323532e8d0f9d3b9cb453af167cc9054
                                                                                                                                          • Instruction Fuzzy Hash: 072190B5500B00EFD7608F68C881F66B7F8FF84754F44882DE99AC7650DB71A850CB60
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e0ff6d3b6a558770fa2da2c2ab7712c5a176837614f743800b2ba24167e9eb86
                                                                                                                                          • Instruction ID: 32124b63ed579d9d0fa07c5639fd8d0606a0c176ee50a02a37e68cfeee33d62a
                                                                                                                                          • Opcode Fuzzy Hash: e0ff6d3b6a558770fa2da2c2ab7712c5a176837614f743800b2ba24167e9eb86
                                                                                                                                          • Instruction Fuzzy Hash: F611A7B2240914EFD722DF5DC981FDA7BA8EF95758F114029F305DB652E670E901C790
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 1eefd452d8e7d40dd6f409b0e75f3db3bb766cd61f6888d6fe3749391d3ab808
                                                                                                                                          • Instruction ID: 13a5d7f3e93c20ebf66a8bbb93ac448e9ad300f8da0a6e427e0c17e92f110ccd
                                                                                                                                          • Opcode Fuzzy Hash: 1eefd452d8e7d40dd6f409b0e75f3db3bb766cd61f6888d6fe3749391d3ab808
                                                                                                                                          • Instruction Fuzzy Hash: AC112B373001149FCF19DB29CC81A6B72AAEFD537CB25453AD922CB294EA34D802C390
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4e4a32a2d3058099452524f85fb54252388910d50929b24a01f5bbe6b90b06cc
                                                                                                                                          • Instruction ID: 7040eb81e3aa460d59e7d365111eb3aca0fa607d0354f3fa5efb9382c71ed14f
                                                                                                                                          • Opcode Fuzzy Hash: 4e4a32a2d3058099452524f85fb54252388910d50929b24a01f5bbe6b90b06cc
                                                                                                                                          • Instruction Fuzzy Hash: 5711E0B6A01245DFCB65CF5DC581E5ABBF8EF84A18B428079ED059B310E770DD00CBA4
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                          • Instruction ID: 8e88ac1db86b017546ffc829613240363282b28a98210c27c3f033c92e4d554b
                                                                                                                                          • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                          • Instruction Fuzzy Hash: 7B110436A00A19AFDB19CB58C805B9DFBF5EF84214F058269E84597380E671AD11CB80
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                          • Instruction ID: f52e500b6481cff52fa78876817bac85824354a83a0b33d2b00c79f4a23ddf29
                                                                                                                                          • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                          • Instruction Fuzzy Hash: A811AC32600605EFEB219F4CC840B5ABFA9EF45B5CF458438EA19AB260DB35DD40DBA0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 47cf1ec9e2b910601a946f7c307c2099127d4cdcd03d11d7dcd2dccd8810409f
                                                                                                                                          • Instruction ID: a2f37453a87a2dcf1cb58ecc23bb97dbc2bdd34d701b241dd178de4ed12586b3
                                                                                                                                          • Opcode Fuzzy Hash: 47cf1ec9e2b910601a946f7c307c2099127d4cdcd03d11d7dcd2dccd8810409f
                                                                                                                                          • Instruction Fuzzy Hash: AC01C431605649ABF316A76DE898F2B7EDCEF8069CF054076F900DB651D964EC00C2B1
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b52e277e483ffaf9bc4388e5db376af241e5a4f6a0c8348e9275d7446e4e50b6
                                                                                                                                          • Instruction ID: 83d67bf2344df0499a9304928abee988c60c1a54396eeef2b29a387691b2c700
                                                                                                                                          • Opcode Fuzzy Hash: b52e277e483ffaf9bc4388e5db376af241e5a4f6a0c8348e9275d7446e4e50b6
                                                                                                                                          • Instruction Fuzzy Hash: 4211CE36300665AFDB25EF5ED840F567BA8EB96B68F014529FA288B650C770E800CF60
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f0dc3caaac52c248698491b1c20c73560d3c750c8b3b4acc30b3a618f2dcd51c
                                                                                                                                          • Instruction ID: e11f10cef45b6ad32d164fde6946a217c99fdd64420dac0d926559e64fb0a714
                                                                                                                                          • Opcode Fuzzy Hash: f0dc3caaac52c248698491b1c20c73560d3c750c8b3b4acc30b3a618f2dcd51c
                                                                                                                                          • Instruction Fuzzy Hash: DF11C2362006199FDB229A6DD844F67B7A6FFC4718F15442DEB86C76A1DA30AC02CB90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7e61e7c3cb2f7aa24fd8fd81aecd47bfce438856f86e9abcc02e1928317c90b7
                                                                                                                                          • Instruction ID: 7a8773051f5edb5e2a7f9ffe85969fcc348f58f327825b4bab031855c77ac71f
                                                                                                                                          • Opcode Fuzzy Hash: 7e61e7c3cb2f7aa24fd8fd81aecd47bfce438856f86e9abcc02e1928317c90b7
                                                                                                                                          • Instruction Fuzzy Hash: 3B1182B2A01615ABDB21EF5DC981F5EFBB8EF84B64F910459DE01A7200D774AD418B60
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9f154b5e0ac2dc7979b72962a9f3813316681bd2af849ca53e0860d7ce9c8879
                                                                                                                                          • Instruction ID: cea8ed32298fb66f4a4788f0356853f77a06747e57d178563324ac3b3350105e
                                                                                                                                          • Opcode Fuzzy Hash: 9f154b5e0ac2dc7979b72962a9f3813316681bd2af849ca53e0860d7ce9c8879
                                                                                                                                          • Instruction Fuzzy Hash: 1E018C71600109AFD725DF19E444E66BBF9FBC6718F24817AE1098B264D7B4AC42CB90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                          • Instruction ID: 9d542bd7ed432c0aa84119b20d9972be6b67bfcf7b205697661b7822e611eda1
                                                                                                                                          • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                          • Instruction Fuzzy Hash: 01117071205786DBE722A72CD958B257BD8BB4175CF1900E0DA4187A52F72CD842C690
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                          • Instruction ID: d2965f1ccfa15419ca284cf347f1e7a5d35837cdf46a2f921ce4042e2b406828
                                                                                                                                          • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                          • Instruction Fuzzy Hash: 5B01F132600226AFE721AF5CCC44F5ABFA9EF81B58F458134FA059B260E772DD40CB90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                          • Instruction ID: 1192ac5bfd9b8e7794dcc4d31e261487c4b5997f08ccd3ce2bb99cbbd6eedc21
                                                                                                                                          • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                          • Instruction Fuzzy Hash: 20016D714067659FCB358F19D840AB27BF8FF55766B00852DFC958B689C332D402CB60
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7932cd2ff775eecda5f20b603acfe3dfe6192def665d7b9c4b3a2a8d900f11a8
                                                                                                                                          • Instruction ID: f8d66c779b1b5a692261d90e06a3482af4c1f7436384a00e6cbe7b28035e6834
                                                                                                                                          • Opcode Fuzzy Hash: 7932cd2ff775eecda5f20b603acfe3dfe6192def665d7b9c4b3a2a8d900f11a8
                                                                                                                                          • Instruction Fuzzy Hash: 3701F9736415019FD732DF1CD840E13B7E8EB91778B154259EA689B2A6E730DC01C7D0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: df92893eef3e2f5c7cdac6c77c1607f4d7a3f60826599ec7e3832e301a0369dd
                                                                                                                                          • Instruction ID: 130b052aabcd744a097e75fccd72d5efdd3757c70ce2f7e5fe956a4750c20e2d
                                                                                                                                          • Opcode Fuzzy Hash: df92893eef3e2f5c7cdac6c77c1607f4d7a3f60826599ec7e3832e301a0369dd
                                                                                                                                          • Instruction Fuzzy Hash: C311AD32241241EFDB15EF19CD90F16BBB8FF58B48F2000B5E9059B661C235ED01CA90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 36b31c65f6285fa4ec6f5823c8263781a11edaf27a2109e4f25b1d43ce1e9abb
                                                                                                                                          • Instruction ID: f712255eeb04c26817f46a724bcea130002a0301aec9ede739966a5cfce65bfd
                                                                                                                                          • Opcode Fuzzy Hash: 36b31c65f6285fa4ec6f5823c8263781a11edaf27a2109e4f25b1d43ce1e9abb
                                                                                                                                          • Instruction Fuzzy Hash: BE119A70501228ABDB25AB28CC42FE9B278EF04718F508194A718A60E0DA709E85CF94
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: eb7b889ed8604d29e879d2e9a677272bdb5307666fde4650b7692ef7c218c8f4
                                                                                                                                          • Instruction ID: 99f0c3f988337926d1a4c4333fc6610d8bed1057f38a337651cf406a7dc85bb5
                                                                                                                                          • Opcode Fuzzy Hash: eb7b889ed8604d29e879d2e9a677272bdb5307666fde4650b7692ef7c218c8f4
                                                                                                                                          • Instruction Fuzzy Hash: D511E9B390011DABCB15DB98CC85DDFBBBCEF58258F044166E906E7211EA34EA55CBE0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                          • Instruction ID: c5c4f282a60828e852e34519ed7658d2ec32ccc4a272372322765936d6a0a60b
                                                                                                                                          • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                          • Instruction Fuzzy Hash: 390128326001218BEF21AE5DDC80B53776BFFC4708F1680A5EE158F256DA75DC81C390
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a639490369cc8af83d9446ded891ecb0767a5fe5b11fb85c02c77747743db6c1
                                                                                                                                          • Instruction ID: e27faf837cdc9711861e3940441bce4612b6b3afaceeeace7b936f08546935d4
                                                                                                                                          • Opcode Fuzzy Hash: a639490369cc8af83d9446ded891ecb0767a5fe5b11fb85c02c77747743db6c1
                                                                                                                                          • Instruction Fuzzy Hash: CA11E572600145DFC301CF18C841BE1B7B9FB96308F08815AE9488B716E731EC41CBA0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 42c151f36da6dda1cfd66e020721b7ef79d1e949c290b8b535294d6a3146c203
                                                                                                                                          • Instruction ID: 6e6a4bef755f52bc40b34b49bfe40658bad8b85d0d6520c705210223bda10b93
                                                                                                                                          • Opcode Fuzzy Hash: 42c151f36da6dda1cfd66e020721b7ef79d1e949c290b8b535294d6a3146c203
                                                                                                                                          • Instruction Fuzzy Hash: 8D111CB1E002199BCB00DF99D545A9EBBF8FF58254F10806AA905E7355D674EA018BA4
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4fde0924bfc77bb9dbfbdf69c7a041f887d256c9fe798a20610f880e82106675
                                                                                                                                          • Instruction ID: fe90653f7338027811c4dd8afffff047daf540fd5a2230e5404dcdf26113b140
                                                                                                                                          • Opcode Fuzzy Hash: 4fde0924bfc77bb9dbfbdf69c7a041f887d256c9fe798a20610f880e82106675
                                                                                                                                          • Instruction Fuzzy Hash: CC01B13A1402119FEB32AE1D8440927BFA9FF91A68B05843EE1555B651CB31DC41CB91
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                          • Instruction ID: d6d645dfb19dfd39bfd74d4ce1348373b0d0eeeb96e8e8a8141582e9cb784fad
                                                                                                                                          • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                          • Instruction Fuzzy Hash: D801D832200745DFEB3696ADD840EA777EDFFD6658F048419AA468B944DB74E401C750
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4158b24732351c8a79fe54aeb41d6b5fdec3e904f9f2319fc95dd6d27c5687ff
                                                                                                                                          • Instruction ID: 2b045eb4e3d12b61498b181d80ad74af0ae3046f92f394ea55b89fc2a4b0a4ae
                                                                                                                                          • Opcode Fuzzy Hash: 4158b24732351c8a79fe54aeb41d6b5fdec3e904f9f2319fc95dd6d27c5687ff
                                                                                                                                          • Instruction Fuzzy Hash: CD118075A0020DEFCF05DF68C850FAF7BB9EB44388F008059F91197254D635AE11CB90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6bfe577984eaec2f2d727c3b2babf5fe48a6740797de7320aba10b58e3db9dc4
                                                                                                                                          • Instruction ID: 56e113faa4a6eeeded0745dd61ced627502cd10f24bb5f8eef5bfca9397166df
                                                                                                                                          • Opcode Fuzzy Hash: 6bfe577984eaec2f2d727c3b2babf5fe48a6740797de7320aba10b58e3db9dc4
                                                                                                                                          • Instruction Fuzzy Hash: 8B018472201505BBD711AB6ECD40E57B7ACFB946587000569B50593561DB64FC01C6A8
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0781b9856013ecaeea1cf3abbad569138dcb9496cdfc5d3e43a5dff347961ce7
                                                                                                                                          • Instruction ID: 75a7b8a8e3f0a12c861f740bf8d48b38364ba55a146dd460b47a32bc23bf4197
                                                                                                                                          • Opcode Fuzzy Hash: 0781b9856013ecaeea1cf3abbad569138dcb9496cdfc5d3e43a5dff347961ce7
                                                                                                                                          • Instruction Fuzzy Hash: 63014CB22142069BD720DF6DC8C99A7FBACFF88628F104129EA5987681F7309911C7D1
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e728e5f853febb8395b8caae7ebaef334fadf123d72e8ff72724e5782d6f1cd2
                                                                                                                                          • Instruction ID: ab9f634659c9ef598b9700c1523ab54c2d8d03bb05acfa2acd1ef539839473fe
                                                                                                                                          • Opcode Fuzzy Hash: e728e5f853febb8395b8caae7ebaef334fadf123d72e8ff72724e5782d6f1cd2
                                                                                                                                          • Instruction Fuzzy Hash: 9B116D75A0020DEBDF16EF68C854EAE7BB9FB48348F008059FD01A7354DA35E911CB94
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 92943767699d695ef25b8b328c26ee36f72c349026f4645e567124bb8c016a46
                                                                                                                                          • Instruction ID: d9d76c872d20840aafe2e1db74a4fc16ec28612d89c4c8f0047b9c29c0df041d
                                                                                                                                          • Opcode Fuzzy Hash: 92943767699d695ef25b8b328c26ee36f72c349026f4645e567124bb8c016a46
                                                                                                                                          • Instruction Fuzzy Hash: 621179B16083089FC700DF6DD44195BBBF8EF98314F00851EB998D7394E630E900CB92
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e4b491a77400cb74865b56888b14016a658aad1fc89cc40fc9a9301906be1416
                                                                                                                                          • Instruction ID: a98df7824fce9b35d8f8d6cc900509ddf69be4dcaba7b8490228601eb90d080c
                                                                                                                                          • Opcode Fuzzy Hash: e4b491a77400cb74865b56888b14016a658aad1fc89cc40fc9a9301906be1416
                                                                                                                                          • Instruction Fuzzy Hash: 1A1179B16083089FC700DF6DD44195BBBF8FF99354F00851AB958D73A4E630E900CB92
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                          • Instruction ID: 7e9be7394b7aee28dc78b56e027694e1759655986af83ddd840012c5efced808
                                                                                                                                          • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                          • Instruction Fuzzy Hash: E8017C322045849FE326861ECA48F26BBDCEB8476CF0904B1F905CBA91D62CDC40CA25
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b4ea1335cf94b8224a89f96eecddb1eb17b2715251f334958761fa4ac4145c3e
                                                                                                                                          • Instruction ID: 598b96430c50bcc0c04faeb71b86eb7ea5b9e1fc6f041735f08bfd5e1985691a
                                                                                                                                          • Opcode Fuzzy Hash: b4ea1335cf94b8224a89f96eecddb1eb17b2715251f334958761fa4ac4145c3e
                                                                                                                                          • Instruction Fuzzy Hash: AE01A231B00509DBD719EF6DD8109EEBBB9FF80628F5940A99A01E7698EE30DD02C794
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: 19a909f389be18b933630fb32fcb78ac254c84b56e4865587a1b84506828fbab
                                                                                                                                          • Instruction ID: 8697c312c66e381fded616965e1b471322ea92306a518920bb77d26abfb4345d
                                                                                                                                          • Opcode Fuzzy Hash: 19a909f389be18b933630fb32fcb78ac254c84b56e4865587a1b84506828fbab
                                                                                                                                          • Instruction Fuzzy Hash: B201A271244711AFD3315F1AD840F12BEA8EF55F68F15442EB21A9F3A4D7B0E8418B68
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b7ad2a4de50f47424ef8726a2849c15af366993994ad801f671713b1a1b61df8
                                                                                                                                          • Instruction ID: eab89698951d8eb254184406c062e10c3babd463d0821ff3e099bbc9b1fc22d1
                                                                                                                                          • Opcode Fuzzy Hash: b7ad2a4de50f47424ef8726a2849c15af366993994ad801f671713b1a1b61df8
                                                                                                                                          • Instruction Fuzzy Hash: B5F0A433641A25B7C732AB5A8D40F57BAADEBC4A98F158029F60997640DA34ED01CBA0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                          • Instruction ID: f62db2a41c11dd378c0002b7f312b087308c3daf078c043cd227910c9225407d
                                                                                                                                          • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                          • Instruction Fuzzy Hash: 15F0C2B2600611ABD328CF4DDC40E57FBEEDBD1A84F048128A509CB220EA31ED04CB90
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                          • Instruction ID: be131f43f79d39e03874a3e71fd37bd799a9de2bf7ddf93e464f27a5c8b0e4fc
                                                                                                                                          • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                          • Instruction Fuzzy Hash: 4BF02B33284A339BD73F165D4840B6BBA999FD1B6CF1A1435F2099BA4CCA68CD0297D0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: adaf959f8be826e2c604d4c12b88f1148b76802eb5eb72700be677c546b0a6f2
                                                                                                                                          • Instruction ID: 79e7727336ad648f0655880a2a55497412843f7e332da4542c4a2496a9b44c2e
                                                                                                                                          • Opcode Fuzzy Hash: adaf959f8be826e2c604d4c12b88f1148b76802eb5eb72700be677c546b0a6f2
                                                                                                                                          • Instruction Fuzzy Hash: 61017171A1020DABCB00DFA9D44199EB7F8FF58304F10401AE904E7350D6349A008BA0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a96a589fcbe4dd4cf8a0086843a58f1e8528a589dfffd9ee5a5cef540bfca128
                                                                                                                                          • Instruction ID: f1f60c53a4ca9446f0e6d0c0295cf8fe35ef21024c6456ff6d4df52cce6e28ec
                                                                                                                                          • Opcode Fuzzy Hash: a96a589fcbe4dd4cf8a0086843a58f1e8528a589dfffd9ee5a5cef540bfca128
                                                                                                                                          • Instruction Fuzzy Hash: 41012175A1020DABCB04DFA9D4559AEB7F8EF58304F10805AF905E7351D6749A018BA4
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8b99aca3355bbc2219f1e4ac14055edfca16ddbee6b4330aa0ca412f57b11b5c
                                                                                                                                          • Instruction ID: a9767b9ba70683a0d309c372b1a6ed54621a5a8e4fd7c0db33a3ddc77787a0a8
                                                                                                                                          • Opcode Fuzzy Hash: 8b99aca3355bbc2219f1e4ac14055edfca16ddbee6b4330aa0ca412f57b11b5c
                                                                                                                                          • Instruction Fuzzy Hash: 1D0121B1A0020DABDB04DFA9D44599EB7F8EF58304F50805AEA15E7350D67499018BA4
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                          • Instruction ID: bc8324f09ecfaad0a15d23e642d71d3b6975fcd7b2bb0ac6ad7ee270ae09c5c1
                                                                                                                                          • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                          • Instruction Fuzzy Hash: 1A01F4322046899BE722971DC809F59BFACEF82B5CF0880A5FE04DFAA1D679C801C214
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0ebfdaaa794c4c991ec0d01e4945025456adffbeb17ff5204f6c051ac7f1e7c9
                                                                                                                                          • Instruction ID: b34bc2c31a29a5c8e26f6f5ef439fda97822c3ef0ca02db30c1d0d659c77fe84
                                                                                                                                          • Opcode Fuzzy Hash: 0ebfdaaa794c4c991ec0d01e4945025456adffbeb17ff5204f6c051ac7f1e7c9
                                                                                                                                          • Instruction Fuzzy Hash: 50014F71A0024DABDB04DFA9D445AEEBBF8FF58314F14406AE905E7390D774EA01CB94
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                          • Instruction ID: 294e466716f3b0fcf846af4ffad72f4f60a35e6991c67f3eebcc6fa792c9e748
                                                                                                                                          • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                          • Instruction Fuzzy Hash: A6F01DB220001DBFEF019F99DD81DAF7BBEEB59298B144125FA11A2160D635DD21ABA0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 437a9df7c11010d8daa4e1c96311b3631c07f433f79b79a92aafd111eeab0dc4
                                                                                                                                          • Instruction ID: 4457bff7dc3c3b408f68cedcd81a80c8e032cab001aa54063100ec136292e6f7
                                                                                                                                          • Opcode Fuzzy Hash: 437a9df7c11010d8daa4e1c96311b3631c07f433f79b79a92aafd111eeab0dc4
                                                                                                                                          • Instruction Fuzzy Hash: 59014537110259EBCF229E84D840EDA7F66FB4C6A8F068115FE5966220C736D971EB81
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 06f5ad5069c1e5e26135f82b6b34d8af0cc648addffcc7cd9e9d76931562e7b6
                                                                                                                                          • Instruction ID: 0c899a0c6f13e8b394403033822768a19d98dd14f817125c79d14b993547d481
                                                                                                                                          • Opcode Fuzzy Hash: 06f5ad5069c1e5e26135f82b6b34d8af0cc648addffcc7cd9e9d76931562e7b6
                                                                                                                                          • Instruction Fuzzy Hash: C2F024712D42415BF328962D9C11F22729AE7C0668F65903AEB098F6C5EA70DC01C3A4
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b9149e5830d140592d8f127e134f66ba92970d0150d597ed2d86ebabeb9f5f69
                                                                                                                                          • Instruction ID: 8cb1deb5da99046e0a635a0d86e46b3cec28fde709cd7314441041ccc4e5e3f1
                                                                                                                                          • Opcode Fuzzy Hash: b9149e5830d140592d8f127e134f66ba92970d0150d597ed2d86ebabeb9f5f69
                                                                                                                                          • Instruction Fuzzy Hash: B101A4B0244685DFE7629B3CCD59F2537A8BB41F4CF984590BE41DBAE6D728D402C214
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                          • Instruction ID: f0e5ef240f9de108967f5fa27436f7597d22cda00df76c4d2cdcd69443862394
                                                                                                                                          • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                          • Instruction Fuzzy Hash: 07F02E31341D1347E776AE2E9830B2EBA959FD0D08B05472C9505CB680DF20DC10C790
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                          • Instruction ID: 1c8a5df9f8988bf57df8d4aee588b166afcd3aebbec4d6d623ff654e7197a433
                                                                                                                                          • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                          • Instruction Fuzzy Hash: 59F082337116229BE7319A4ECC80F16BBACEFD5E64F9A0075A6049B660C764EC01C7D0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 60c5912ed7afd8c892f05a02538776bf92ff62f744ebd6d9807dfadc1107390b
                                                                                                                                          • Instruction ID: c39fa8128aeb5543896575b3203658679f35dc8c6236e4379a956be134d45400
                                                                                                                                          • Opcode Fuzzy Hash: 60c5912ed7afd8c892f05a02538776bf92ff62f744ebd6d9807dfadc1107390b
                                                                                                                                          • Instruction Fuzzy Hash: E8F0C2706093089FC310EF2CC445A1BBBE8FF98714F80865ABC98DB394E634E900C796
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                          • Instruction ID: 13b82bf94c19ee029646c19c00dfcb124e6d83096d1e7fd2b22f96b44171a496
                                                                                                                                          • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                          • Instruction Fuzzy Hash: 66F0B472610204AFE718DB25CC01F96BAE9EF98758F148078AD45E7164FAB1ED01C654
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 5d1f4b4a5cb027c4d22c4f35bc84ea2f621967507ca97b05261209d5ba9201f5
                                                                                                                                          • Instruction ID: a79c9751d424c491c163b244f3e0e08354e5fae3ad7c1b330a2eab9dccc49635
                                                                                                                                          • Opcode Fuzzy Hash: 5d1f4b4a5cb027c4d22c4f35bc84ea2f621967507ca97b05261209d5ba9201f5
                                                                                                                                          • Instruction Fuzzy Hash: 48F0C270A0020DEFCB04EF69C515A9EB7B8FF18304F008059B805EB385DA38EA01CB50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e58131621f1c6f0d4741d9420186ad6832aa51cb7ed51942d2f617faa11f7ec2
                                                                                                                                          • Instruction ID: 0af2471c12afce1df4c77978e9dedcb2fb552f4e76bc95374a7ecd578e0827cd
                                                                                                                                          • Opcode Fuzzy Hash: e58131621f1c6f0d4741d9420186ad6832aa51cb7ed51942d2f617faa11f7ec2
                                                                                                                                          • Instruction Fuzzy Hash: 2AF0BE319366F59FE732EB6CC044B62BFD89B0062CF09896ADA8D87502D7A6D880C651
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 95e143688e7b66eaec20b1abc43e980d022cd43209cce1ba199c4843334dadc3
                                                                                                                                          • Instruction ID: 0e67f9c2df07cd04dda3a1074ede72f4d7071ae528da6b4594dd07f7e22053c2
                                                                                                                                          • Opcode Fuzzy Hash: 95e143688e7b66eaec20b1abc43e980d022cd43209cce1ba199c4843334dadc3
                                                                                                                                          • Instruction Fuzzy Hash: CEF027AB52579107CF365B2C74983D13BA9A742018F0B1489E4A15F259C5F4C483C320
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c3e343f7ad73a052cf1d17cdd90285c69f1cf3eadea83e7790ac6b50a238f4bf
                                                                                                                                          • Instruction ID: 31556f8232c7d29c39ae4cfe08003a9fcecc046e15d6b1d318060c8b143497d1
                                                                                                                                          • Opcode Fuzzy Hash: c3e343f7ad73a052cf1d17cdd90285c69f1cf3eadea83e7790ac6b50a238f4bf
                                                                                                                                          • Instruction Fuzzy Hash: 5BF0E2755117919FE7A29B1CC148F52BBDC9B40FBCF0DB425DD4687512C264EA80CA70
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                          • Instruction ID: ac8d715dfdf1fb8619ad8532474aa4eeb052cc42f6f046056158b4737560afad
                                                                                                                                          • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                          • Instruction Fuzzy Hash: 69E0D8323006012BE7119E5D8CC0F47776EDFD2B28F054079B5045F255C9E2DC1983A4
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                          • Instruction ID: a8ee9c8d5a5674a2b120f3c8226f0a3258d120668b4f4279c79c617bd01fa8da
                                                                                                                                          • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                          • Instruction Fuzzy Hash: 00F037B11082049FE3218F0AD985F92B7F8E745368F45C025E7099B951E379DC40CBA4
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                          • Instruction ID: 758e9aed2b6ce2abac32344700aaf2b26b6d2acff781827607840f395523b3c6
                                                                                                                                          • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                          • Instruction Fuzzy Hash: 19F0E57A208355DBDB1AEF2DD040AA57BA8FB41358F000094F8428B301D735E981CB54
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                          • Instruction ID: d49a972d8596c8ad6bc849ca27eb6f4276af41f8927bb9e3b467e696c57d24fa
                                                                                                                                          • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                          • Instruction Fuzzy Hash: 12E0D832244149ABF3E95A5D8800F6677A9DBD0FA4F150429EA088B550FB70DCC0C7EC
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 46f67455e2385e82a55f6cc715ccc60a99faa10e707ea6a135deb1c6f5c50816
                                                                                                                                          • Instruction ID: 56c571c6f8825251289f4be9a653a14a923eba2a3c9a46d32441a67adf13cb4a
                                                                                                                                          • Opcode Fuzzy Hash: 46f67455e2385e82a55f6cc715ccc60a99faa10e707ea6a135deb1c6f5c50816
                                                                                                                                          • Instruction Fuzzy Hash: 00F09231A26A918FE772D72CE684F5777E4AF60638F5A05ACD60687A12C724EC80C650
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                          • Instruction ID: 2bb1c9d83f6c59b109797700a318d8876ec92ecc1213d52957c75e4bd01ab1e0
                                                                                                                                          • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                          • Instruction Fuzzy Hash: 8BE0DF72A00110FBDB2197998D02F9ABEACDF90EA8F050058BA00E7190E530DE00C690
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                                          • Instruction ID: ea3bb81f3dccc663ec53d7cbf6d48e29ae20774040bada93cd9730799fbcc3fb
                                                                                                                                          • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                                          • Instruction Fuzzy Hash: BDE09B316403548BCB298A1DC140A53BFEDEF95669F15807DEA0547613C231F842C6D0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: 9b45699e700b0545efe3abe3c4bd21375ec527b2c0d7698a30e5717df4c6f74c
                                                                                                                                          • Instruction ID: ab9e1d05eb249fbc53ba49373dd554349f8755c956b38a5bf8a3dbf36563236a
                                                                                                                                          • Opcode Fuzzy Hash: 9b45699e700b0545efe3abe3c4bd21375ec527b2c0d7698a30e5717df4c6f74c
                                                                                                                                          • Instruction Fuzzy Hash: 39E092321006549BC721BB2DDD01F8B779AEBA0368F024515F115571A0CA74A810C788
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                          • Instruction ID: 4577a8887c35d20cee17c3fe4de5ad737d0aa525d4fd6e5f995db4e35fa78002
                                                                                                                                          • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                          • Instruction Fuzzy Hash: B2E09232010611DFEB326F2ED908B527BF4FF50719F14CC2CA096125B0C77498C0CA40
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                          • Instruction ID: a77131f41e14839cb407c15a57c0262e49208a782281bb361860a7cfb21e66e3
                                                                                                                                          • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                          • Instruction Fuzzy Hash: 52E0C2343403058FE715CF19C040B62BBB6FFD5A14F68C068A9488F205EB72E842DB40
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                          • Instruction ID: 540ed4aba382871134db8a434037b60ed8e16cdf9a0bb653985197619b4c51cc
                                                                                                                                          • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                          • Instruction Fuzzy Hash: 3FE0C231000A14EFDB372F19DC00F9276A9FF94B28F218869E081164AC8774AC82CB48
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ee09b3112e1ad25e6def1c92563b4cceb1096da137d7947cdaa497b612206d99
                                                                                                                                          • Instruction ID: d081c4ddde9cc1ad329e83dbc065ec9524c46712c2a071264f5f1ab9ac6608a6
                                                                                                                                          • Opcode Fuzzy Hash: ee09b3112e1ad25e6def1c92563b4cceb1096da137d7947cdaa497b612206d99
                                                                                                                                          • Instruction Fuzzy Hash: 7AE0C2332005606BC721FB5DDD00F4A739EEFA4274F014221F155872A0CA64EC00C798
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                                          • Instruction ID: bbca5d908a55ab2be3c38e1af3cf90479ab46e451a3e7292046ea391ed3328c6
                                                                                                                                          • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                                          • Instruction Fuzzy Hash: 80E08633121A1887D728DE1CD511B7277A8EF45B20F09463EAA5347780C534E544C794
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                                          • Instruction ID: e1b24e676d2a35c92548bdaf1a02a36cbd6ce02fff5665fde75eeb1477498fa0
                                                                                                                                          • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                                          • Instruction Fuzzy Hash: 4ED05E76511A50AFD7329F1FEA00C13BBF9FBC4A10705062EA54583920C674AC06CBA0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                          • Instruction ID: 7c494a5ca3034f355ae451a02dc632ab71815a94957dc99fc535c1a5b7f32dea
                                                                                                                                          • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                          • Instruction Fuzzy Hash: 71D0A932204620ABDB32AA1CFC00FC333E8BB88728F060499B008C7050C364AC81CA88
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                          • Instruction ID: 3cd9e181e110b191ade956c4b94543049fdf3d4d2dbee75daffcedc1e86f70eb
                                                                                                                                          • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                          • Instruction Fuzzy Hash: 53E0EC359506849BDF52EF5DC640F5ABBB5BB94B44F150064E1485B660C628A900CB40
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                          • Instruction ID: bae1b6c45968fdb4399f0f9c15102f7557b873af8e00b8e6d86ab56e4f4339a6
                                                                                                                                          • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                          • Instruction Fuzzy Hash: 3FD012322170B197DF2D565A6914F677919ABC1A99F1A006D750A93904C5198C42D6E0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                          • Instruction ID: 81b4fdaf861bcc57f690902f2d8471fa02bde8e13c56eb98cd3b33d16dc47dda
                                                                                                                                          • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                          • Instruction Fuzzy Hash: 6AD012371D054DBBCB119F66DC01F957BA9E7A4BA0F448020B504875A0C63AE950D584
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8cae465d0626ff0674d660ab4246e72d5bba826131e99cf637516f74a9ac6b82
                                                                                                                                          • Instruction ID: 77e0a32e6ceebe3750fb22eb60b5cf81a7c4e61d25a424402d3381ed593e78d9
                                                                                                                                          • Opcode Fuzzy Hash: 8cae465d0626ff0674d660ab4246e72d5bba826131e99cf637516f74a9ac6b82
                                                                                                                                          • Instruction Fuzzy Hash: 4BD0C735555505DBEF56DF59C510D6F7A78FF64F4DB4010ACEF0161520D329EC01C650
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                                          • Instruction ID: 0a273284ed6315381fbfbbcd7a6d6b42f2da57bb7ba861df2498a241e3dda49d
                                                                                                                                          • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                                          • Instruction Fuzzy Hash: CDD0C935212E80CFD61BCB0CC5A4F1533B8BB84B48F810490F401CBF22D66CD940CA04
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                          • Instruction ID: df7b42f97c0c70c168d5334cb0e6da9908464d4318fadc660d3138bc03192772
                                                                                                                                          • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                          • Instruction Fuzzy Hash: 38C01232290648AFCB12AA99CD01F027BA9EBA8B40F004021F2048B670C635E820EA88
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                          • Instruction ID: 5bcc5ca1f4f3449c6e0428375aa88a93ea879f7a4a2fb84358d77fc264e6b93d
                                                                                                                                          • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                          • Instruction Fuzzy Hash: 5BD01236200248EFCB05DF55C890D9A7B6AFBD8710F148019FD19076108A31FD62DA50
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                          • Instruction ID: 30906cf29d2552c0d7cac1c1a4e2a1fa8dc60db8b267254675ea3c90080deaab
                                                                                                                                          • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                          • Instruction Fuzzy Hash: FCC04C797015428FCF15DB1DD294F4577E4F744754F1548D0E805CB721E628E801CA10
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ___swprintf_l
                                                                                                                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                          • API String ID: 48624451-2108815105
                                                                                                                                          • Opcode ID: ef863834751743c2faf7445bc205be72ddf89b17c703d6780041ccca829a4a69
                                                                                                                                          • Instruction ID: c713fdfdcc3f4fefb4415535005f52bde165280e5a6a51262a351f103779aae5
                                                                                                                                          • Opcode Fuzzy Hash: ef863834751743c2faf7445bc205be72ddf89b17c703d6780041ccca829a4a69
                                                                                                                                          • Instruction Fuzzy Hash: 0351E6B2A00116AFDB25DB9C888097FFBFCBB48248B15C229F5A5D7645D334DE108BA0
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ___swprintf_l
                                                                                                                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                          • API String ID: 48624451-2108815105
                                                                                                                                          • Opcode ID: a65563f2da8df68ec290867f96ee3789cf18ec661c9ad64cb6917e858bf15f10
                                                                                                                                          • Instruction ID: 1212da3861acee710ccc911cf8d51841b6a9d5a8a585dd001aa719b5caf9d746
                                                                                                                                          • Opcode Fuzzy Hash: a65563f2da8df68ec290867f96ee3789cf18ec661c9ad64cb6917e858bf15f10
                                                                                                                                          • Instruction Fuzzy Hash: E3512672A0064AEECB35DF9CD99097FFBF9EF44208B448459E896D3641E6B4EA00C760
                                                                                                                                          Strings
                                                                                                                                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01394742
                                                                                                                                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 01394787
                                                                                                                                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01394655
                                                                                                                                          • ExecuteOptions, xrefs: 013946A0
                                                                                                                                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 013946FC
                                                                                                                                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01394725
                                                                                                                                          • Execute=1, xrefs: 01394713
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                          • API String ID: 0-484625025
                                                                                                                                          • Opcode ID: 13ea9ee9fc3be31652540434f2d15a52dbb54348f79dfa251b1257457b61ef7b
                                                                                                                                          • Instruction ID: 7ab1fb37d033bdd1cad3e405e9d13bb271523900dade7123e2dfd8d1e708273e
                                                                                                                                          • Opcode Fuzzy Hash: 13ea9ee9fc3be31652540434f2d15a52dbb54348f79dfa251b1257457b61ef7b
                                                                                                                                          • Instruction Fuzzy Hash: F8510A3160021EBAEF21EAACEC95FBD77ACEF1471CF440099DA05A7191E770DA458F61
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                                                                                          • Instruction ID: 6b73a13c33bdaa63e390b15b7e180e6c10fd4eca6cb9167aabb2c0eae0ed2ca6
                                                                                                                                          • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                                                                                          • Instruction Fuzzy Hash: 210225B1508342AFD705CF18C595A6FBBE9EFD8708F04892DFA994B264DB31E905CB42
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: __aulldvrm
                                                                                                                                          • String ID: +$-$0$0
                                                                                                                                          • API String ID: 1302938615-699404926
                                                                                                                                          • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                          • Instruction ID: 601358a6748ec649884d25cc066f6d3beb339a1dc45b14cb05177dc1848ab011
                                                                                                                                          • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                          • Instruction Fuzzy Hash: 0381BF70F0524A8EEF258E6CC8517EEFFA9AF45368F18C119D961E729DC63888408F65
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ___swprintf_l
                                                                                                                                          • String ID: %%%u$[$]:%u
                                                                                                                                          • API String ID: 48624451-2819853543
                                                                                                                                          • Opcode ID: 102f24de252ce710e40cb0944a685dadf66307b21e9ec0c325dc3941361f15dd
                                                                                                                                          • Instruction ID: fd423bad46546727a171d16440dae504681393be9236c241d320611c26c1695a
                                                                                                                                          • Opcode Fuzzy Hash: 102f24de252ce710e40cb0944a685dadf66307b21e9ec0c325dc3941361f15dd
                                                                                                                                          • Instruction Fuzzy Hash: 672131BBE00119ABDB15DE7DDC40AEFBBF8EF58658F444116E915E3204E7319A018BA1
                                                                                                                                          Strings
                                                                                                                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 013902E7
                                                                                                                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 013902BD
                                                                                                                                          • RTL: Re-Waiting, xrefs: 0139031E
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                          • API String ID: 0-2474120054
                                                                                                                                          • Opcode ID: 932fae96ab370ea5bbda42b18c6a2214daebbfb69f8a2ef960d1c6fa29e5a46d
                                                                                                                                          • Instruction ID: 52648a24dfae80c1a45f5bb965806e80ebc925ec8518fcf997712dd0235a040d
                                                                                                                                          • Opcode Fuzzy Hash: 932fae96ab370ea5bbda42b18c6a2214daebbfb69f8a2ef960d1c6fa29e5a46d
                                                                                                                                          • Instruction Fuzzy Hash: 6FE190706047419FEB25CF2CC884B2ABBE8BB44328F184A5DF5A58B6E1D774E944CB42
                                                                                                                                          Strings
                                                                                                                                          • RTL: Re-Waiting, xrefs: 01397BAC
                                                                                                                                          • RTL: Resource at %p, xrefs: 01397B8E
                                                                                                                                          • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01397B7F
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                          • API String ID: 0-871070163
                                                                                                                                          • Opcode ID: 6d6a8ee1c1078e2a19666541df65e974b883c52bedf9da797c755ccebaeda8cb
                                                                                                                                          • Instruction ID: 2b54ae5bdd0339c3e12441ea79070f7a0ba96850b6cbb70bd999e0974005c2c6
                                                                                                                                          • Opcode Fuzzy Hash: 6d6a8ee1c1078e2a19666541df65e974b883c52bedf9da797c755ccebaeda8cb
                                                                                                                                          • Instruction Fuzzy Hash: 3341F6357007029FDB21DE29C840F6AB7EAEF94B18F100A1DF95AD7680DB71E4058F91
                                                                                                                                          APIs
                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0139728C
                                                                                                                                          Strings
                                                                                                                                          • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01397294
                                                                                                                                          • RTL: Re-Waiting, xrefs: 013972C1
                                                                                                                                          • RTL: Resource at %p, xrefs: 013972A3
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                          • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                          • API String ID: 885266447-605551621
                                                                                                                                          • Opcode ID: efba379694eab2fa2ede98cc651ed36b50ca040f204335887304b0b514464012
                                                                                                                                          • Instruction ID: 5e3e534e9998ca965df61de7c7fbe72e875336acb301ac2c0aa7de3de5a223ee
                                                                                                                                          • Opcode Fuzzy Hash: efba379694eab2fa2ede98cc651ed36b50ca040f204335887304b0b514464012
                                                                                                                                          • Instruction Fuzzy Hash: 51411671710606ABDB21CE29CC41F6ABBA9FF54B18F100659FD95EB680DB31E8128BD1
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ___swprintf_l
                                                                                                                                          • String ID: %%%u$]:%u
                                                                                                                                          • API String ID: 48624451-3050659472
                                                                                                                                          • Opcode ID: 2e569367ee1904bcc72ae732dca21737b32962d76175e821b1fa411677c62670
                                                                                                                                          • Instruction ID: d4469ad4e5525499f4b254493b21d2e1cda46f294a285f06ecd76a0fc2899190
                                                                                                                                          • Opcode Fuzzy Hash: 2e569367ee1904bcc72ae732dca21737b32962d76175e821b1fa411677c62670
                                                                                                                                          • Instruction Fuzzy Hash: EA315272A002199FDB25DF2DDC40BEFB7F8EB54614F54455AED49E3244EF30AA448BA0
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: __aulldvrm
                                                                                                                                          • String ID: +$-
                                                                                                                                          • API String ID: 1302938615-2137968064
                                                                                                                                          • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                          • Instruction ID: 87b0eadf57617c01a60bf453c88ed372b953d89b284d8cae0f1245fad1e7b344
                                                                                                                                          • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                          • Instruction Fuzzy Hash: 1391D870E0020A9BDB24CF6DC880ABEBBBDEF4472CF94C51AE955EB2C8D73489458710
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.1778983247.00000000012F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 012F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_6_2_12f0000_z8eokahasflcrscooplasb.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: $$@
                                                                                                                                          • API String ID: 0-1194432280
                                                                                                                                          • Opcode ID: df6d3c95b7f06784cdde2d9159aff68d764d1b185301673d3468d0d4399feb42
                                                                                                                                          • Instruction ID: 50875b22c32b80bbaac4878ee77bf730397f0e84e1e131d1d96974dcb77052ca
                                                                                                                                          • Opcode Fuzzy Hash: df6d3c95b7f06784cdde2d9159aff68d764d1b185301673d3468d0d4399feb42
                                                                                                                                          • Instruction Fuzzy Hash: A9811A71D002799BDB359B58CC44BEAB6B8AF48718F1041EAEA19B7240D7709E84CFA4

                                                                                                                                          Execution Graph

                                                                                                                                          Execution Coverage:1%
                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                          Signature Coverage:0%
                                                                                                                                          Total number of Nodes:69
                                                                                                                                          Total number of Limit Nodes:7
                                                                                                                                          execution_graph 20220 e821f82 20221 e821fb8 20220->20221 20223 e822081 20221->20223 20225 e822022 20221->20225 20226 e81e5b2 20221->20226 20224 e822117 getaddrinfo 20223->20224 20223->20225 20224->20225 20227 e81e60a socket 20226->20227 20228 e81e5ec 20226->20228 20227->20223 20228->20227 20229 e822e12 20230 e822e45 NtProtectVirtualMemory 20229->20230 20233 e821942 20229->20233 20232 e822e70 20230->20232 20234 e821967 20233->20234 20234->20230 20235 e821232 20236 e82125c 20235->20236 20238 e821334 20235->20238 20237 e821410 NtCreateFile 20236->20237 20236->20238 20237->20238 20239 e81c8c2 20240 e81c934 20239->20240 20241 e81c9a6 20240->20241 20242 e81c995 ObtainUserAgentString 20240->20242 20242->20241 20243 e8162dd 20247 e81631a 20243->20247 20244 e8163fa 20245 e816328 SleepEx 20245->20245 20245->20247 20247->20244 20247->20245 20250 e820f12 socket NtCreateFile getaddrinfo 20247->20250 20251 e817432 NtCreateFile 20247->20251 20252 e8160f2 socket getaddrinfo 20247->20252 20250->20247 20251->20247 20252->20247 20253 e822bac 20254 e822bb1 20253->20254 20287 e822bb6 20254->20287 20288 e818b72 20254->20288 20256 e822c2c 20257 e822c85 20256->20257 20258 e822c54 20256->20258 20259 e822c69 20256->20259 20256->20287 20302 e820ab2 NtProtectVirtualMemory 20257->20302 20298 e820ab2 NtProtectVirtualMemory 20258->20298 20263 e822c80 20259->20263 20264 e822c6e 20259->20264 20261 e822c8d 20303 e81a102 ObtainUserAgentString NtProtectVirtualMemory 20261->20303 20263->20257 20268 e822c97 20263->20268 20300 e820ab2 NtProtectVirtualMemory 20264->20300 20266 e822c5c 20299 e819ee2 ObtainUserAgentString NtProtectVirtualMemory 20266->20299 20269 e822cbe 20268->20269 20270 e822c9c 20268->20270 20274 e822cc7 20269->20274 20275 e822cd9 20269->20275 20269->20287 20292 e820ab2 NtProtectVirtualMemory 20270->20292 20272 e822c76 20301 e819fc2 ObtainUserAgentString NtProtectVirtualMemory 20272->20301 20304 e820ab2 NtProtectVirtualMemory 20274->20304 20275->20287 20306 e820ab2 NtProtectVirtualMemory 20275->20306 20278 e822ccf 20305 e81a2f2 ObtainUserAgentString NtProtectVirtualMemory 20278->20305 20280 e822cac 20293 e819de2 ObtainUserAgentString 20280->20293 20282 e822ce5 20307 e81a712 ObtainUserAgentString NtProtectVirtualMemory 20282->20307 20285 e822cb4 20294 e816412 20285->20294 20289 e818b93 20288->20289 20290 e818cce 20289->20290 20291 e818cb5 CreateMutexExW 20289->20291 20290->20256 20291->20290 20292->20280 20293->20285 20296 e816440 20294->20296 20295 e816473 20295->20287 20296->20295 20297 e81644d CreateThread 20296->20297 20297->20287 20298->20266 20299->20287 20300->20272 20301->20287 20302->20261 20303->20287 20304->20278 20305->20287 20306->20282 20307->20287

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 295 e821232-e821256 296 e82125c-e821260 295->296 297 e8218bd-e8218cd 295->297 296->297 298 e821266-e8212a0 296->298 299 e8212a2-e8212a6 298->299 300 e8212bf 298->300 299->300 301 e8212a8-e8212ac 299->301 302 e8212c6 300->302 303 e8212b4-e8212b8 301->303 304 e8212ae-e8212b2 301->304 305 e8212cb-e8212cf 302->305 303->305 306 e8212ba-e8212bd 303->306 304->302 307 e8212d1-e8212f7 call e821942 305->307 308 e8212f9-e82130b 305->308 306->305 307->308 312 e821378 307->312 308->312 313 e82130d-e821332 308->313 314 e82137a-e8213a0 312->314 315 e8213a1-e8213a8 313->315 316 e821334-e82133b 313->316 317 e8213d5-e8213dc 315->317 318 e8213aa-e8213d3 call e821942 315->318 319 e821366-e821370 316->319 320 e82133d-e821360 call e821942 316->320 324 e821410-e821458 NtCreateFile call e821172 317->324 325 e8213de-e82140a call e821942 317->325 318->312 318->317 319->312 322 e821372-e821373 319->322 320->319 322->312 330 e82145d-e82145f 324->330 325->312 325->324 330->312 332 e821465-e82146d 330->332 332->312 333 e821473-e821476 332->333 334 e821486-e82148d 333->334 335 e821478-e821481 333->335 336 e8214c2-e8214ec 334->336 337 e82148f-e8214b8 call e821942 334->337 335->314 343 e8214f2-e8214f5 336->343 344 e8218ae-e8218b8 336->344 337->312 342 e8214be-e8214bf 337->342 342->336 345 e821604-e821611 343->345 346 e8214fb-e8214fe 343->346 344->312 345->314 347 e821500-e821507 346->347 348 e82155e-e821561 346->348 351 e821538-e821559 347->351 352 e821509-e821532 call e821942 347->352 353 e821616-e821619 348->353 354 e821567-e821572 348->354 358 e8215e9-e8215fa 351->358 352->312 352->351 356 e8216b8-e8216bb 353->356 357 e82161f-e821626 353->357 359 e8215a3-e8215a6 354->359 360 e821574-e82159d call e821942 354->360 361 e821739-e82173c 356->361 362 e8216bd-e8216c4 356->362 364 e821657-e82166b call e822e92 357->364 365 e821628-e821651 call e821942 357->365 358->345 359->312 367 e8215ac-e8215b6 359->367 360->312 360->359 371 e821742-e821749 361->371 372 e8217c4-e8217c7 361->372 368 e8216c6-e8216ef call e821942 362->368 369 e8216f5-e821734 362->369 364->312 387 e821671-e8216b3 364->387 365->312 365->364 367->312 375 e8215bc-e8215e6 367->375 368->344 368->369 391 e821894-e8218a9 369->391 379 e82177a-e8217bf 371->379 380 e82174b-e821774 call e821942 371->380 372->312 376 e8217cd-e8217d4 372->376 375->358 382 e8217d6-e8217f6 call e821942 376->382 383 e8217fc-e821803 376->383 379->391 380->344 380->379 382->383 389 e821805-e821825 call e821942 383->389 390 e82182b-e821835 383->390 387->314 389->390 390->344 396 e821837-e82183e 390->396 391->314 396->344 400 e821840-e821886 396->400 400->391
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000007.00000002.4152196445.000000000E750000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E750000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_7_2_e750000_explorer.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CreateFile
                                                                                                                                          • String ID: `
                                                                                                                                          • API String ID: 823142352-2679148245
                                                                                                                                          • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                          • Instruction ID: a1d4a30d28ec417891005d0f032ad261fcea24cb73d252699e80b89197408412
                                                                                                                                          • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                          • Instruction Fuzzy Hash: 00226E70A29A199FCB59DF28C4987AEF7E1FB58304F50462EE45ED3650DB30E891CB81

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 434 e822e12-e822e38 435 e822e45-e822e6e NtProtectVirtualMemory 434->435 436 e822e40 call e821942 434->436 437 e822e70-e822e7c 435->437 438 e822e7d-e822e8f 435->438 436->435
                                                                                                                                          APIs
                                                                                                                                          • NtProtectVirtualMemory.NTDLL ref: 0E822E67
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000007.00000002.4152196445.000000000E750000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E750000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_7_2_e750000_explorer.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: MemoryProtectVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2706961497-0
                                                                                                                                          • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                          • Instruction ID: 4d988e14268466fccc724acf686d6fb326a3c37d80c6bd105ef53923081104ae
                                                                                                                                          • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                          • Instruction Fuzzy Hash: 27017134668B484F9B88EF6CE48522AB7E4FBDD315F000B3EE99AC7254EB74D9414742

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 439 e822e0a-e822e6e call e821942 NtProtectVirtualMemory 442 e822e70-e822e7c 439->442 443 e822e7d-e822e8f 439->443
                                                                                                                                          APIs
                                                                                                                                          • NtProtectVirtualMemory.NTDLL ref: 0E822E67
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000007.00000002.4152196445.000000000E750000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E750000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_7_2_e750000_explorer.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: MemoryProtectVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2706961497-0
                                                                                                                                          • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                          • Instruction ID: 1bac6e350d80a0473bd29fc337cd5d61acd85854c4af010754e6cf4ad5efa3ba
                                                                                                                                          • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                          • Instruction Fuzzy Hash: 96016234628B884B8B48EB6C94552A6B7E5FBCE314F400B7EE99AC3251DB65D9024782

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          • ObtainUserAgentString.URLMON ref: 0E81C9A0
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000007.00000002.4152196445.000000000E750000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E750000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_7_2_e750000_explorer.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AgentObtainStringUser
                                                                                                                                          • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                          • API String ID: 2681117516-319646191
                                                                                                                                          • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                          • Instruction ID: 0809c7a254fe42614751e50c92157c4a3e280b1dced6fc556019486565fba57c
                                                                                                                                          • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                          • Instruction Fuzzy Hash: 4231F130614A1C8BCB04EFA8C8847EDBBE4FF58204F40062AE44ED7240DE788A44C79A

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          • ObtainUserAgentString.URLMON ref: 0E81C9A0
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000007.00000002.4152196445.000000000E750000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E750000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_7_2_e750000_explorer.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AgentObtainStringUser
                                                                                                                                          • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                          • API String ID: 2681117516-319646191
                                                                                                                                          • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                          • Instruction ID: 1afc9714248edf33b74618b7907f84941af3d87b0a4937eda0c0015b852e3f4b
                                                                                                                                          • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                          • Instruction Fuzzy Hash: CB210470610A1D8BCB05EFA8C8947EDBBE4FF58204F40062EE45AD7250DF788A44C79A

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 408 e8162dd-e816320 call e821942 411 e816326 408->411 412 e8163fa-e81640e 408->412 413 e816328-e816339 SleepEx 411->413 413->413 414 e81633b-e816341 413->414 415 e816343-e816349 414->415 416 e81634b-e816352 414->416 415->416 417 e81635c-e81636a call e820f12 415->417 418 e816370-e816376 416->418 419 e816354-e81635a 416->419 417->418 421 e8163b7-e8163bd 418->421 422 e816378-e81637e 418->422 419->417 419->418 423 e8163d4-e8163db 421->423 424 e8163bf-e8163cf call e816e72 421->424 422->421 426 e816380-e81638a 422->426 423->413 428 e8163e1-e8163f5 call e8160f2 423->428 424->423 426->421 429 e81638c-e8163b1 call e817432 426->429 428->413 429->421
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000007.00000002.4152196445.000000000E750000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E750000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_7_2_e750000_explorer.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Sleep
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3472027048-0
                                                                                                                                          • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                          • Instruction ID: 3e7dfa7972136d0005d9799b36cd0203f650855e32adb0c270e12c3e87c3e955
                                                                                                                                          • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                          • Instruction Fuzzy Hash: 32316BB4614B09DFDB64EF2980882A5F7A4FB44300F4846BEC9ADCB156DB349894DFD2

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 444 e816412-e816446 call e821942 447 e816473-e81647d 444->447 448 e816448-e816472 call e823c9e CreateThread 444->448
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000007.00000002.4152196445.000000000E750000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E750000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_7_2_e750000_explorer.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CreateThread
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2422867632-0
                                                                                                                                          • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                          • Instruction ID: c11ea3f4971df39442d8b25c796978ebc60eeb060e1e7eef8134eadb06650d74
                                                                                                                                          • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                          • Instruction Fuzzy Hash: AFF0F630268A494FD788EF2CD48563AF3E0FBE8214F450A3EA58DC3264DA39C9814716